urelas | 084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963db

General

Target

084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Size

336KB
MD5

1b86aa4c7c6b949ca2bb3f9dcb7da180
SHA1

03f2fb8c4293107e31ea4bd79caa450f2481bc5b
SHA256

084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963db
SHA512

3f4ff90189221e07ca303fab43df3d9056f7fdce115af757c268450d904968537abd370e4000261ec5b82394d563bfe6c27555386b75987d4ec1a0b396a556c3
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV8:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	ysxow.exe
1560	hylon.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
2092	ysxow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysxow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hylon.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe
1560	hylon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2092	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	30
PID 2288 wrote to memory of 2092	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	30
PID 2288 wrote to memory of 2092	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	30
PID 2288 wrote to memory of 2092	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	30
PID 2288 wrote to memory of 2332	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	31
PID 2288 wrote to memory of 2332	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	31
PID 2288 wrote to memory of 2332	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	31
PID 2288 wrote to memory of 2332	2288	084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe	31
PID 2092 wrote to memory of 1560	2092	ysxow.exe	34
PID 2092 wrote to memory of 1560	2092	ysxow.exe	34
PID 2092 wrote to memory of 1560	2092	ysxow.exe	34
PID 2092 wrote to memory of 1560	2092	ysxow.exe	34

C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe
"C:\Users\Admin\AppData\Local\Temp\084be61c6eb8252d5e2712badce7f4561518bce50c0c088ec74a9cd7ff9963dbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\ysxow.exe
  "C:\Users\Admin\AppData\Local\Temp\ysxow.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\hylon.exe
    "C:\Users\Admin\AppData\Local\Temp\hylon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
67a56aaa62b91c3cd7aab35fcd3af867

SHA1
98bb1c207b8abe6cb9effd63acc12e38eadfe2da

SHA256
daeac78219c24c64d8f1edb80059e024de0c7a900d94d542056a4cad73d35a18

SHA512
5d1d7065979ca65d42eb9e2d67feaed27459b2336023b9a736fe45cc1c34bad22d3dab3f956fd1de064bdd08ccc5eb11dab98c630da9c8c520b5102b2e7e6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
974eefd148655ae629bdc14d8a339f3c

SHA1
44ada3e870128ac7dad955e84ca5088011cf70c3

SHA256
38113a79683ab289e06cedc3270b007f67af6f1939fe90e28c99882dcc6dae3a

SHA512
3cb694bd82b3360bd8fb4d157d68ef41908924680b982e9e29207c787f46166d41b26538c28f2ed8bd94554a6e766b83902c29fa41af2263a2194281a1d17876

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysxow.exe

Filesize
336KB

MD5
07ca9f085bc1307b9893030fee2f8774

SHA1
f59fec993157a8d3d3b264e66dc3c9b8f05ef70d

SHA256
376f218d3ca6a99035d95dfe1506cbe0b18f31d7cd81eddea1265f3ae90c5b5b

SHA512
6756763f9d7d7548e1a2165e7d563b3fa24396fabde2a28156a89d0d403b2ba749e4b74d021007ec790d5d074efd678a17109553fa0c62683bc4241e73b1cd10

Download Submit
\Users\Admin\AppData\Local\Temp\hylon.exe

Filesize
172KB

MD5
f7375132c0105f687f5131e17ebb0439

SHA1
830fbb56803da9f4f93a86b1d7d0bc7297d320a2

SHA256
a1b154f115d3c5304c51948447287066ae65bffb3d63c7687110c47a57864bb2

SHA512
b871b063860140f8498095f0528bfe4f05308e35c96a6a797875b5ebacf5f52ec3838f833ba289ddd84d9ac650826eb7c44281d84a5c7381c758ed61ab718b62

Download Submit
memory/1560-48-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1560-47-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1560-42-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/1560-43-0x0000000000290000-0x0000000000329000-memory.dmp

Filesize
612KB

Download
memory/2092-41-0x0000000001060000-0x00000000010E1000-memory.dmp

Filesize
516KB

Download
memory/2092-24-0x0000000001060000-0x00000000010E1000-memory.dmp

Filesize
516KB

Download
memory/2092-37-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2092-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-18-0x0000000001060000-0x00000000010E1000-memory.dmp

Filesize
516KB

Download
memory/2288-20-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/2288-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2288-17-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/2288-0-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing