urelas | 2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88

General

Target

2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe
Size

505KB
MD5

bd35f0407a0cf61a87a380c74c366287
SHA1

20930e309ef62b4059d380c328f61f787da8fa5b
SHA256

2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88
SHA512

735688a7a400efb6576d72fd792a43597b4fa337c536399c3a5fc3b3d1b37fc4d88a78f69b99dcb2c67b953c66653e88fb74d8f84b2f5e57ae035e8c14866286
SSDEEP

12288:N/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFo:N/D0caF8wvhb43pDbo

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	culuv.exe
1520	mohuu.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe
2928	culuv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	culuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mohuu.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe
1520	mohuu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2928	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	30
PID 2656 wrote to memory of 2928	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	30
PID 2656 wrote to memory of 2928	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	30
PID 2656 wrote to memory of 2928	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	30
PID 2656 wrote to memory of 2672	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	31
PID 2656 wrote to memory of 2672	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	31
PID 2656 wrote to memory of 2672	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	31
PID 2656 wrote to memory of 2672	2656	2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe	31
PID 2928 wrote to memory of 1520	2928	culuv.exe	33
PID 2928 wrote to memory of 1520	2928	culuv.exe	33
PID 2928 wrote to memory of 1520	2928	culuv.exe	33
PID 2928 wrote to memory of 1520	2928	culuv.exe	33

C:\Users\Admin\AppData\Local\Temp\2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe
"C:\Users\Admin\AppData\Local\Temp\2c5e1bce9e3c5c9ebdd258d9b179eb03110306638cdeb6b32b182de4924d9d88.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\culuv.exe
  "C:\Users\Admin\AppData\Local\Temp\culuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\mohuu.exe
    "C:\Users\Admin\AppData\Local\Temp\mohuu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e68ba48fc4a2206e5b34d59319f37a9b

SHA1
80c8ad7fd2874a0c69f1fffdec58d283196f6a7e

SHA256
f360cbdbac54ebe4dfc65cf810fffb4eebbd5796768420441178a85e46db54fe

SHA512
9b6e820618c80c68d037b9afbbdcfda6975acdd62764e8539e9be536e61ae3bc173170090c8d2858f31074dc82bb254bd9798ac42d9f924f803240e717bf1cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c23fb0c6299b0bf0b4cd1aeb04bebc4b

SHA1
1fcf0d62d99865027618abdcf1bb516e9a3a8bd9

SHA256
cd86f0d2986a09e77c8546fb2a9023cf684e07dfb1f45558e17da8d7988c9a4b

SHA512
321b91e9d5efd2bb20a42ebd6d51830ecfbe6aa2b00c17b461f2777cd19ed9c71f269041c796881617f6fe3c709e24919937108787d97c42daf8807780bd8ae2

Download Submit
\Users\Admin\AppData\Local\Temp\culuv.exe

Filesize
505KB

MD5
f0c40277ce6abfbd52d1b5b30da14b5c

SHA1
3422ea07bcc3ba3af01e7cf06a1f3a0532461561

SHA256
39ed5681c4cbc6f5ad0579a5cccf73bed76d23d37b7219f8e44bac3ea6f3b91c

SHA512
82f8d666fd5084286d6161ea0ea3574c8a1483201612d07869cfb55b9cd1af24ae488c6f41a91a60a283c2984b7a3b40e6b3160a12d704882c07363f156c4812

Download Submit
\Users\Admin\AppData\Local\Temp\mohuu.exe

Filesize
218KB

MD5
80d228e9d965c7ab692ffd640833afb6

SHA1
ce16867218dca86b3e84483ce6cb31ba030cee78

SHA256
51178dd5e991f516fdd3897fcdda4bafe85117ccb4c6b669d1a95f9c4b73a016

SHA512
c34ba77f99b60ce884757372459d209a6d3b9aff584856232ae7c1924bf8a116783cc6cd654563ac9c81273a63a7a9a61bf24d3749e19c13769842f6d24c8b63

Download Submit
memory/1520-30-0x00000000002D0000-0x000000000038B000-memory.dmp

Filesize
748KB

Download
memory/1520-31-0x00000000002D0000-0x000000000038B000-memory.dmp

Filesize
748KB

Download
memory/2656-0-0x0000000001110000-0x0000000001196000-memory.dmp

Filesize
536KB

Download
memory/2656-6-0x0000000002E80000-0x0000000002F06000-memory.dmp

Filesize
536KB

Download
memory/2656-17-0x0000000001110000-0x0000000001196000-memory.dmp

Filesize
536KB

Download
memory/2928-20-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/2928-25-0x0000000002780000-0x000000000283B000-memory.dmp

Filesize
748KB

Download
memory/2928-28-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing