urelas | d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad

General

Target

d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
Size

335KB
MD5

80ae7de058edde7bbdc65889eccc79c0
SHA1

e6ad995afef94c2b82353fe091ba54dc610d1fb9
SHA256

d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad
SHA512

93662b5077180fa1bd52a643a8c209d73bdf7f6324eaf0323c1c4d08058c89124837ad0ebd23ba26797f6a76cf9a7d30887792fc4233ec4be6ce6b585f2d041d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrY:vHW138/iXWlK885rKlGSekcj66ciS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	ebfou.exe
1000	lihor.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
2536	ebfou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lihor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebfou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe
1000	lihor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2536	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	30
PID 2524 wrote to memory of 2536	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	30
PID 2524 wrote to memory of 2536	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	30
PID 2524 wrote to memory of 2536	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	30
PID 2524 wrote to memory of 2692	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	31
PID 2524 wrote to memory of 2692	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	31
PID 2524 wrote to memory of 2692	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	31
PID 2524 wrote to memory of 2692	2524	d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe	31
PID 2536 wrote to memory of 1000	2536	ebfou.exe	34
PID 2536 wrote to memory of 1000	2536	ebfou.exe	34
PID 2536 wrote to memory of 1000	2536	ebfou.exe	34
PID 2536 wrote to memory of 1000	2536	ebfou.exe	34

C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe
"C:\Users\Admin\AppData\Local\Temp\d12ab3185c2de04ea4a091a1b01363676330a774632f8c981aa20dfcc47e6aad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\ebfou.exe
  "C:\Users\Admin\AppData\Local\Temp\ebfou.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\lihor.exe
    "C:\Users\Admin\AppData\Local\Temp\lihor.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cc7359730ecf5305850fbf9a551cd13e

SHA1
3bfc072700ef72e05f823f9ed435eda37e92e381

SHA256
690fc72c85d81367c9b6232b90a5d5646b8b9edb01f2c39470a9a69a468e9573

SHA512
85ad19d1f2609b511fd2c996330c77b5a6b38f35921aa2591aee71c5aff96564da60359d05a19112fa82e1585d60bb3a72af61660653ec332a17b44a1634b132

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
30493c1d17062deaf20166e8be91e948

SHA1
03fbdf8c6fa1c67f306bfb014f242bd262806dfa

SHA256
50713f3c060ff66d2b2264f8978b2a2417de00530a221082cdfd992974102cab

SHA512
5b9bf6f5dfd9ea3e2ca136d730ad17aad4dadd9a69c132417e734ddaa77d6c7ceadc5e52f30858da0b3e5fb1e93c327d0983e0070fef5dc210d77bf4a76431d8

Download Submit
\Users\Admin\AppData\Local\Temp\ebfou.exe

Filesize
335KB

MD5
32846855f2aa9745d0fd199bfba8f714

SHA1
6df9c46a6ea5c41a09541ff72f0877bbe3e7e686

SHA256
46d1615dad452f26f99b2bf9c0899aec5b8b6cba41094991f0ac6bc3038b6c5c

SHA512
0e92f8e6d5a64dd79789fa4968081988a2252fa465e2cf732bd946e255fbad4fe81c0a64fa1b238fed1b5951638ed416839e11208b46fb825b2ff39ab7b7b349

Download Submit
\Users\Admin\AppData\Local\Temp\lihor.exe

Filesize
172KB

MD5
0b52355ad1dd9327cadeedf819a09bcd

SHA1
c9ee6c4c09883fbde20b680b7756062099498042

SHA256
405f2c7480d9e5bf56b9784d7ca3a8e8b8cad097a4a259fdc037fb23c13fd0cf

SHA512
f1c63ee5b9b653070e23ca839f9524b184ff7194a7717a9ca4f047e42cd71906ba30d7f2ce92185b1cb273fe02cc555a1272961a15379ec784ddac2182b9e8bf

Download Submit
memory/1000-48-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/1000-47-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/1000-42-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/1000-45-0x0000000001030000-0x00000000010C9000-memory.dmp

Filesize
612KB

Download
memory/2524-20-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2524-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2524-9-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/2524-0-0x0000000000EE0000-0x0000000000F61000-memory.dmp

Filesize
516KB

Download
memory/2536-24-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2536-38-0x0000000003E10000-0x0000000003EA9000-memory.dmp

Filesize
612KB

Download
memory/2536-18-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2536-41-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/2536-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing