urelas | 4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6

General

Target

4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
Size

335KB
MD5

8e592493f4396101c59cc31a5176b580
SHA1

a982d8305da273c5517f3cd35176c8146ee97bb4
SHA256

4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6
SHA512

8d7adf013194a3d1507d05956996a05f3e961816f6df800f5cf9e97499b9ee7393dd6d3d4544131eeff513cd1cc44a2cf2e024c19355090a1b48c966a99d6164
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrY:vHW138/iXWlK885rKlGSekcj66ciy

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	zyfyn.exe
2492	jofub.exe

Loads dropped DLL 2 IoCs

pid	Process
1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
2696	zyfyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyfyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jofub.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe
2492	jofub.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2696	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	29
PID 1488 wrote to memory of 2696	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	29
PID 1488 wrote to memory of 2696	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	29
PID 1488 wrote to memory of 2696	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	29
PID 1488 wrote to memory of 2824	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	30
PID 1488 wrote to memory of 2824	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	30
PID 1488 wrote to memory of 2824	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	30
PID 1488 wrote to memory of 2824	1488	4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe	30
PID 2696 wrote to memory of 2492	2696	zyfyn.exe	32
PID 2696 wrote to memory of 2492	2696	zyfyn.exe	32
PID 2696 wrote to memory of 2492	2696	zyfyn.exe	32
PID 2696 wrote to memory of 2492	2696	zyfyn.exe	32

C:\Users\Admin\AppData\Local\Temp\4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe
"C:\Users\Admin\AppData\Local\Temp\4af9cc7061bb604a8091424c394ac23aaf16e7031ecdb9048714cc89c64745d6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\zyfyn.exe
  "C:\Users\Admin\AppData\Local\Temp\zyfyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\jofub.exe
    "C:\Users\Admin\AppData\Local\Temp\jofub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
97165f500ef26497cbb33f984ff6ed11

SHA1
936c9548cda4108c60f3b15f9736199e97ae0170

SHA256
782352fb18b89f636c1f1664309984b1853e1a6567513e45ef4dc445e93893b3

SHA512
1b30599891aa07950850a7ac7ae34316501ee6f3ea01ce0c26af443c71e8e419ba4341d80f0a74362944b1b0cfad8afba38094f543fdd1995c81241e9c061081

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3a23414a505e6fd3e6d9459a52d24b37

SHA1
58a279715d18a0f4ced827d75fc7fabe0bcc9acb

SHA256
18644c7aab53debd9e1d0dac028043fe397d7254fdff26b3babdcd9b4f3b6096

SHA512
92d02f8db2be51803524576223fa64d6f77aac476431254db9bd3d170f6ec0702eca535955a8f79d4925a5ea88db836a5cb56206f171e48d832e568d5b3da138

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyfyn.exe

Filesize
335KB

MD5
689f1a670c4c1caf2f49ff9539509479

SHA1
14e75cb04134d7af46dec7154a46ff24ecd5e2ec

SHA256
12e7cb4ff12ad752e305bcc7621460ef8206efa98f274a63405c3cefab91cbc5

SHA512
e4112a946e7ec5072e272139e9f19432001774dd4084da9c7559a18c727c732800a92d74d57dc580c592fcc2ef5e3b2db00f720332a07a1823c3adeaef566578

Download Submit
\Users\Admin\AppData\Local\Temp\jofub.exe

Filesize
172KB

MD5
452dd06c7b47d8ef60829a042e83ce77

SHA1
354f980098e0863362a239cb4b4b37b2940453d8

SHA256
44531bee8b78d3e85ae5c3bd02b9e9361eb7e258ebb6c0e93c5277af7aac500a

SHA512
d2afe0d07c4c51d772ae45ee0fe81abea30df0908fa216db671c18ca71b9388a73a110280c2251775f5c18499059da70c52bdeffcec32731898e157f8822b184

Download Submit
\Users\Admin\AppData\Local\Temp\zyfyn.exe

Filesize
335KB

MD5
898a1257cdcbf44462837890cff408e4

SHA1
05701035e519f463330d9e4ea1d0316d94f37777

SHA256
a3cb42d583b1cf85cf078016d61ed44f02f7454381648169dfbe63dba5c58beb

SHA512
b598f31921943c3b81d0b84b85bf860a960a991713e466f31a76e2df4f7f1dc84ade9b12b3912f6d0c58810277cf20674e79c6373ad3067944d4f6e181534080

Download Submit
memory/1488-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1488-0-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/1488-9-0x0000000002970000-0x00000000029F1000-memory.dmp

Filesize
516KB

Download
memory/1488-20-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/2492-49-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/2492-48-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/2492-42-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/2492-43-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/2696-11-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/2696-41-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/2696-38-0x0000000004040000-0x00000000040D9000-memory.dmp

Filesize
612KB

Download
memory/2696-24-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/2696-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2696-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing