urelas | d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164

General

Target

d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
Size

336KB
MD5

36e12de34b6b64b1f73b9fa0a81c0b8e
SHA1

04468d239653de56d849aa888cda17243b2ccd52
SHA256

d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164
SHA512

b9c715b6c92cb63c2df631a2120a892a4d9a02792f219febbfb62611b23341ad8422faf861960d797b3baff5d09e474c342b03aedf5e0529378c99937c8b6927
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoU:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2256	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2020	kuqyx.exe
1516	jyuzk.exe

Loads dropped DLL 2 IoCs

pid	Process
796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
2020	kuqyx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyuzk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuqyx.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe
1516	jyuzk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2020	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	28
PID 796 wrote to memory of 2020	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	28
PID 796 wrote to memory of 2020	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	28
PID 796 wrote to memory of 2020	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	28
PID 796 wrote to memory of 2256	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	29
PID 796 wrote to memory of 2256	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	29
PID 796 wrote to memory of 2256	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	29
PID 796 wrote to memory of 2256	796	d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe	29
PID 2020 wrote to memory of 1516	2020	kuqyx.exe	33
PID 2020 wrote to memory of 1516	2020	kuqyx.exe	33
PID 2020 wrote to memory of 1516	2020	kuqyx.exe	33
PID 2020 wrote to memory of 1516	2020	kuqyx.exe	33

C:\Users\Admin\AppData\Local\Temp\d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe
"C:\Users\Admin\AppData\Local\Temp\d44b14b6aef930f5250008ae4042201e5a48b93f6222615f95c88b1c84fcd164.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\kuqyx.exe
  "C:\Users\Admin\AppData\Local\Temp\kuqyx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\jyuzk.exe
    "C:\Users\Admin\AppData\Local\Temp\jyuzk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
75db3e253909f16e19dd402633778525

SHA1
626350eaa1d5a3a27317b08adb093d5be6eb6625

SHA256
d73a1329fad2105dfeb4c7690f0b44f2498f7b0246f65f0812c423c3a45e2ca6

SHA512
4ce319cfc8e1f81deb2dc77123d16824153602bc661dd59a670fec8945f48393c15d134aab62f62be68f3a43da69c5e0767106164bb941d5d621fab1c1422495

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
599a760879f87f47ef1ddd65bf095e1e

SHA1
0f0a4bcb1935c4a2e88cc6dbbe77b96565555c73

SHA256
708a5fa31977d087074c05f34cb924f22b0ca6fef76c43a011f6771d99613118

SHA512
9514562c9929585a3fa77d5c8775cd32e2d1737b761c2cf060175f758135c0845406f368b84aeec28fb9b365e9663fb7edc4d8f3475042e1ec34c605749fa63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuqyx.exe

Filesize
336KB

MD5
c7b3bc0a6cd319cff3299cad9ec1108c

SHA1
1e98131629a4216efff55865bced28e285cdce6d

SHA256
76075209315ddcf948a9abeb0ac41b4bb7e635351934ac4324e92a0830dea864

SHA512
9befcd41dfa161f244f3806f495a4c90c836757c987d6879aafdc4db55f5056114d02fc1a3534cd3aeae258b764b0ff3952d3db45d4c6090e281d440072a5dc3

Download Submit
\Users\Admin\AppData\Local\Temp\jyuzk.exe

Filesize
172KB

MD5
f9621754cb520168c00d5a3f39935396

SHA1
d2139a52d0eddba3b10935e04d6143513fa07a67

SHA256
7bee3bdc50b3a1959823b5757963dd0f43c0f177b22b0423dce981c54ff62e6d

SHA512
9e9692c5d468e6cb3fedcd3eb51122fb4e85cf4dd4e01284008016de6199a1362017f0a5f0a5c06565016c256987df4dd58a98809d3d3d7f9113ae6337b1fd72

Download Submit
\Users\Admin\AppData\Local\Temp\kuqyx.exe

Filesize
336KB

MD5
c0d0c2b1da490d9df3a6d87a9005f7c2

SHA1
1b16730da73e46758f67e9dcd570b972fcf4861a

SHA256
d702aa92435eaced80f910f53ba915c90baf5d0f258a012145e3cc3a5a6fd374

SHA512
dcefe0d499be080306f38a048e1ce34c01c6eeb2aaa09ed0f40025b7a6e141d8b87927c3598b3fee6b881ca51b66a446d5fad11196354b86ba03299f04c574b0

Download Submit
memory/796-0-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/796-20-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/796-18-0x0000000002910000-0x0000000002991000-memory.dmp

Filesize
516KB

Download
memory/796-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1516-42-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1516-45-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1516-48-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/1516-49-0x0000000000B00000-0x0000000000B99000-memory.dmp

Filesize
612KB

Download
memory/2020-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2020-24-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/2020-39-0x0000000002220000-0x00000000022B9000-memory.dmp

Filesize
612KB

Download
memory/2020-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2020-41-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download
memory/2020-19-0x0000000000050000-0x00000000000D1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing