urelas | 6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb

General

Target

6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe
Size

336KB
MD5

70c6382e43012fb0d1636bc74bb11f90
SHA1

6d483c4af8d32a91b1b8f8da35fedbb4311769d5
SHA256

6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb
SHA512

801f884cd7b2d13d4b7d50b62cea35f78ca32ebce8ebd983c7f7d75b47eee95055b4007f241ffc82ac9f876507b201eed70e15da7e5507b46fdd324a4dcc9be4
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcEGC:vHW138/iXWlK885rKlGSekcj66cih

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1224	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	jedew.exe
1012	tamup.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe
2548	jedew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tamup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jedew.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe
1012	tamup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2548	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	30
PID 1860 wrote to memory of 2548	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	30
PID 1860 wrote to memory of 2548	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	30
PID 1860 wrote to memory of 2548	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	30
PID 1860 wrote to memory of 1224	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	31
PID 1860 wrote to memory of 1224	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	31
PID 1860 wrote to memory of 1224	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	31
PID 1860 wrote to memory of 1224	1860	6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe	31
PID 2548 wrote to memory of 1012	2548	jedew.exe	34
PID 2548 wrote to memory of 1012	2548	jedew.exe	34
PID 2548 wrote to memory of 1012	2548	jedew.exe	34
PID 2548 wrote to memory of 1012	2548	jedew.exe	34

C:\Users\Admin\AppData\Local\Temp\6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe
"C:\Users\Admin\AppData\Local\Temp\6e6e918d43bc49be9021b4dd58726fd0ca2c49dd746f31e892bc89e675c26dfb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\jedew.exe
  "C:\Users\Admin\AppData\Local\Temp\jedew.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\tamup.exe
    "C:\Users\Admin\AppData\Local\Temp\tamup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
186c049b7bfe1d05489569beb8542172

SHA1
081b9d4c2a1dfc6988b88c233e7bb1916bda1a11

SHA256
aaf49c1874435bc14654efe628e3d3911e35cb520ded70b3f74075e96bbd29df

SHA512
d50c3242dbdd02e023682ce7ee152fdcfc3f296ec5ada7b7c69b9c9e841771f27c58250900692892d5fe442284f86251d8dfba2fb8ae8963d700ad8f104d36e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3af6a0b403ce7493747ec149315f5d12

SHA1
d35dd36a5c8fba2016b332740bc701f689936924

SHA256
51f468de5e9244599f35f3f3e0382faa13b0dcacf873698f04935d892933ab70

SHA512
c0739357b3ca0f2de565db29585ecd9d16da96539c36ecb37e95b1649f26f923c013f165b06448a1b502ce8c9ac7329cc1b7cfa7b302675ddcb369ff8eefd50c

Download Submit
\Users\Admin\AppData\Local\Temp\jedew.exe

Filesize
336KB

MD5
cdf03feabbae8fe186a0f225f445f9a0

SHA1
032877d697a16fc71619e4e28408e89fdaffc198

SHA256
adabe11a7bcde2895fc7936ec00b17476b4d59789bf45b575414388ef0e2fd4a

SHA512
fe1aa7c4d8ea25bb3a4121666d14fda0ab908d43ac5901d2a484f9de8e5f395fe0a8c0dc75f44416f3e4e30c0e45d00fde1800c2b03248055e48844bd8e4a093

Download Submit
\Users\Admin\AppData\Local\Temp\tamup.exe

Filesize
172KB

MD5
c808bfdb1ef33dfeac96671c9b709376

SHA1
835ac6d64284024f96722bbacf8bc5c59ec2bf15

SHA256
2fd0e747bf278c5097804728da935b3885bdde8f33e3ba020aa172f516a5b410

SHA512
63cade58e0d4040ffeef82329fe36ce10461e1171ac47cc80952a5e1ead4124eef300b4c1985eb91efca7d392fc01e7143b395b75c143b041607c71b8c7a38ed

Download Submit
memory/1012-43-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/1012-44-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/1012-49-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/1012-48-0x0000000000860000-0x00000000008F9000-memory.dmp

Filesize
612KB

Download
memory/1860-0-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/1860-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1860-19-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/1860-10-0x0000000002070000-0x00000000020F1000-memory.dmp

Filesize
516KB

Download
memory/2548-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2548-25-0x0000000000EB0000-0x0000000000F31000-memory.dmp

Filesize
516KB

Download
memory/2548-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2548-42-0x0000000000EB0000-0x0000000000F31000-memory.dmp

Filesize
516KB

Download
memory/2548-40-0x0000000000E00000-0x0000000000E99000-memory.dmp

Filesize
612KB

Download
memory/2548-21-0x0000000000EB0000-0x0000000000F31000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing