urelas | ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1

General

Target

ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
Size

336KB
MD5

36d0dc1c7948e2aa55e3bda8294bd3c0
SHA1

9cf4e9855e98155b29ac017e374058c4c34c36b3
SHA256

ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1
SHA512

852412a2cd920486b664569765f39d71119785ceb8580888405e8858f0c6a8c8906b7f903a10607ad17d50674aa9d04af6819b3f976f7cb48887c9a71370f899
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo1:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	roefs.exe
1916	teegt.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
2696	roefs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teegt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roefs.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe
1916	teegt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2696	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	30
PID 2872 wrote to memory of 2696	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	30
PID 2872 wrote to memory of 2696	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	30
PID 2872 wrote to memory of 2696	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	30
PID 2872 wrote to memory of 2640	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	31
PID 2872 wrote to memory of 2640	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	31
PID 2872 wrote to memory of 2640	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	31
PID 2872 wrote to memory of 2640	2872	ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe	31
PID 2696 wrote to memory of 1916	2696	roefs.exe	33
PID 2696 wrote to memory of 1916	2696	roefs.exe	33
PID 2696 wrote to memory of 1916	2696	roefs.exe	33
PID 2696 wrote to memory of 1916	2696	roefs.exe	33

C:\Users\Admin\AppData\Local\Temp\ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe
"C:\Users\Admin\AppData\Local\Temp\ad1b8bb7a2b331d51e92c4f76048e62e6cdef9aa1f3486652f1565e7aa36a9f1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\roefs.exe
  "C:\Users\Admin\AppData\Local\Temp\roefs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\teegt.exe
    "C:\Users\Admin\AppData\Local\Temp\teegt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b0c0e41b9e3e0128b1506ee4bf214213

SHA1
41bb14bf022701f64c79f9e8fb4f6707bebe3d85

SHA256
0896bc37715bbc89d61b1a0e1127c54168b21055fa6c344b58c003e18931251e

SHA512
bb399fb366376dd47279ac6d391c84b3819e8c34e64886869953c25f232168908082da1b9cdd379dc7f18600c3d976a35579e3856079ef15ee1d2b8ead16549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
00de87e39d66c2500ee8b4794c155290

SHA1
162d6b5327b7d10a18ea37ce6cf7ab144d3f2002

SHA256
188b25a12870e59b7e43040a935c4563b66722c7afa9313a2f7a707eb70133e0

SHA512
e39480d47de51398bafebb9af6301507ab252572abf54e538ec6be22d5f1c72d2f925ef4b33e4f8a75f316554ed029c08c72546dd25262cb0f3d72b9d9443afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\roefs.exe

Filesize
336KB

MD5
f3d4ea6d93fdb2a6aa49a85f38c7bc00

SHA1
1f23b166fa5774c5c57f3c409bee0a8301449464

SHA256
8ceea2418d3b296ddbde1431e4381a35e5c99d6c90e99302f3760c13a0847296

SHA512
17b7070bdd7699b0514923ef54d1a8bbbe49e413a17440e4bc1a03d434ac8b2af00e85172c1b1ed15dc378ff538779bd58c46182b144f361af77d6d44ea3e314

Download Submit
\Users\Admin\AppData\Local\Temp\roefs.exe

Filesize
336KB

MD5
49d972dbe3eb948f4ce32a8c7cc255dc

SHA1
6ea3cdfb3f46ad5285de31b0d11380acc01fad5c

SHA256
f8e55ce4e137ad41dddbeccb5038ca2de4c3401b4f1aa900d958bb772833840e

SHA512
2ccfa00d35ee223cc9c70d76ca8653c78311a7f4bb30562eccefc4e0f3aaa0b073bb1c5ec698780c0df05de5c14507ceecaa28ee368ec6b58eb48e6d1d012aa7

Download Submit
\Users\Admin\AppData\Local\Temp\teegt.exe

Filesize
172KB

MD5
46014e6fbd33a5df7a41e02859ef0a12

SHA1
da6dd5c4750bbd42093e8ca7340b12c578e2e5a0

SHA256
9d2960c1e2b79d31a1655df7d91487f0982cdbc8f35dbfc95dfb35d90d74d757

SHA512
76f90a84fc8a9f3c8e084f38c4dfc1e5cbb9222c9866e8f5daeff0f04b0d090513b97ccf78dc00b494dfd2ff04f4758d92d547757a32df8f8b0d30a35c584eab

Download Submit
memory/1916-41-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/1916-42-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/1916-47-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/1916-48-0x0000000000220000-0x00000000002B9000-memory.dmp

Filesize
612KB

Download
memory/2696-15-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2696-23-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2696-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2696-37-0x0000000003870000-0x0000000003909000-memory.dmp

Filesize
612KB

Download
memory/2696-40-0x0000000000F80000-0x0000000001001000-memory.dmp

Filesize
516KB

Download
memory/2872-8-0x0000000002570000-0x00000000025F1000-memory.dmp

Filesize
516KB

Download
memory/2872-20-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/2872-0-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/2872-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing