urelas | c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83

General

Target

c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
Size

438KB
MD5

a435c20480499e11de72ea7a4096ce20
SHA1

0c903fcac0c9536f185d4eafa4d7a7d1a067dc87
SHA256

c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83
SHA512

a4d7213cf27f7e5aef254382a3a8d16afc7849346a3be8d7b73fb2ef1dc0ec05fb75175ce716ba31843dd69d369519076b9915f2d94f6c36e9a68d5d56ff519e
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMMG:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	ebuby.exe
2912	obedb.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
3064	ebuby.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obedb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebuby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe
2912	obedb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3064	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	30
PID 2192 wrote to memory of 3064	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	30
PID 2192 wrote to memory of 3064	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	30
PID 2192 wrote to memory of 3064	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	30
PID 2192 wrote to memory of 2616	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	31
PID 2192 wrote to memory of 2616	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	31
PID 2192 wrote to memory of 2616	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	31
PID 2192 wrote to memory of 2616	2192	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	31
PID 3064 wrote to memory of 2912	3064	ebuby.exe	34
PID 3064 wrote to memory of 2912	3064	ebuby.exe	34
PID 3064 wrote to memory of 2912	3064	ebuby.exe	34
PID 3064 wrote to memory of 2912	3064	ebuby.exe	34

C:\Users\Admin\AppData\Local\Temp\c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
"C:\Users\Admin\AppData\Local\Temp\c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\ebuby.exe
  "C:\Users\Admin\AppData\Local\Temp\ebuby.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\obedb.exe
    "C:\Users\Admin\AppData\Local\Temp\obedb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b3525d875901ea299860b9136fabb162

SHA1
f49427a03d79a323489ee2bd4ef30db020e323d4

SHA256
1f3cde0d55bfacefce9d2a030892904fcdd5213c6d0f45759d62bed330fcef66

SHA512
d636b39de769d5ff8ea06567482dad7c35647c5fe944fe248adbc3b5355730f29c51787b95b71f398a77ee06b1f1c2c1ed82b89493cdfdd014feb40f58c8f3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
baeb2b408e558955dbaa7da58c8b7c9d

SHA1
d9f6ef0d94f76df7a12c8c35bae4480d8016ac66

SHA256
9d1ea07d5713f45d27ce9c469732bc120b2e8868bcda60df5e60e01f4c7b8880

SHA512
0af46dda8cb0d0bc8ad9eed4aed10bf74bfe41787917a5773fd36ea8caa1c82d52a9fdc2df60bce036c7bd73928c174d5f0ea3cd225c6be2054381696eb7bebf

Download Submit
\Users\Admin\AppData\Local\Temp\ebuby.exe

Filesize
438KB

MD5
17e6887255bdb6e045e2ea75f483c14a

SHA1
27a785ea273fe7001e46938f225c6c7c351bdada

SHA256
c1f3812076b9d3ec67190b0554f887008c783099b3564e29a1597028e6b4a257

SHA512
02795c591e5366e537a7f76e48f51c65c0c3074dc9dd18402ffb8003f1f0a8c4a1c91daff18ebe5af47ef146e6977840c95f5be7f00678e5fcdb21b2f9789df7

Download Submit
\Users\Admin\AppData\Local\Temp\obedb.exe

Filesize
230KB

MD5
5242063d389aafe9b41687b8ae711350

SHA1
94d2b4f3bc44472c4e8f63125e7f4c63a9c21b20

SHA256
a1a084f398ee5720c06dbdf88a1d737fc5d5962f05aaeca3fb172d54ee32a048

SHA512
375609f2adbf7f6aa9b5de929a35336ef500457144d87cb7b68eec60fcd05fc9cfb4cc777185ecdedf14f1a256d80b4a9bf09493e615ca01c821108f0016b528

Download Submit
memory/2192-6-0x00000000023A0000-0x000000000240E000-memory.dmp

Filesize
440KB

Download
memory/2192-0-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

Filesize
440KB

Download
memory/2192-18-0x0000000000AE0000-0x0000000000B4E000-memory.dmp

Filesize
440KB

Download
memory/2912-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2912-33-0x0000000000A70000-0x0000000000B0E000-memory.dmp

Filesize
632KB

Download
memory/2912-32-0x0000000000A70000-0x0000000000B0E000-memory.dmp

Filesize
632KB

Download
memory/2912-29-0x0000000000A70000-0x0000000000B0E000-memory.dmp

Filesize
632KB

Download
memory/3064-11-0x0000000000130000-0x000000000019E000-memory.dmp

Filesize
440KB

Download
memory/3064-28-0x0000000000130000-0x000000000019E000-memory.dmp

Filesize
440KB

Download
memory/3064-21-0x0000000000130000-0x000000000019E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing