urelas | a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0

General

Target

a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
Size

337KB
MD5

12c4febe7842f1c68a3f0a9f765fde40
SHA1

1c39ae16432cf448d8658086fb841ac94e56689f
SHA256

a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0
SHA512

4391f4e95ddbde0a2787d4a7ffc6ed6c8149eb65ccd1a0ebf3c4754fbede4588f9825c64fbfa02f57a88d50479f08bbaa792f3d2b40af0894e61d418fb3c6dbd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcVx:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1216	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	jykul.exe
1512	ziyzw.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
2144	jykul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziyzw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jykul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe
1512	ziyzw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2144	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	30
PID 2408 wrote to memory of 2144	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	30
PID 2408 wrote to memory of 2144	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	30
PID 2408 wrote to memory of 2144	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	30
PID 2408 wrote to memory of 1216	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	31
PID 2408 wrote to memory of 1216	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	31
PID 2408 wrote to memory of 1216	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	31
PID 2408 wrote to memory of 1216	2408	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	31
PID 2144 wrote to memory of 1512	2144	jykul.exe	34
PID 2144 wrote to memory of 1512	2144	jykul.exe	34
PID 2144 wrote to memory of 1512	2144	jykul.exe	34
PID 2144 wrote to memory of 1512	2144	jykul.exe	34

C:\Users\Admin\AppData\Local\Temp\a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
"C:\Users\Admin\AppData\Local\Temp\a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\jykul.exe
  "C:\Users\Admin\AppData\Local\Temp\jykul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\ziyzw.exe
    "C:\Users\Admin\AppData\Local\Temp\ziyzw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
41181436eec15a9753b0b37c4e591ab5

SHA1
84a8c0fef8872f9f18932359032a350b7d670e6c

SHA256
010cf65b6b97a6321eaaf8750054275c69fdf24e44168fa828ddd3831aa3ca09

SHA512
24d4ad71cdf5b267dc4a92926ecfb3cf2696912da1a0c50224e8a8ec0fcdd2154aaebb5d337ec6a2706d4d25e5710f527081bb1607539e8d48da3fccf1df911b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
27aeb4f560538c021b7d9e3cb18644a3

SHA1
f53a24ae9965254afcad0e51a1ba36125be471d8

SHA256
6b42e1530972d397ad7c7ef0b9f5900f264c5fd6dfa7432d56214b303f43080a

SHA512
89bd7a83cc60999380acc9bcc996d9d1caae390f00a5b8bf5a2b54807c7987e5108bf45ec44002eb24f96328ef00cef294febbf10501cebbd66f8688ab8ce2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykul.exe

Filesize
337KB

MD5
bd760a60b9ecd6a0609a280c38a8a37d

SHA1
82fa19f9529e7ddb29c72e70efe291c4a66c94f1

SHA256
38c048c7e1378fd36fee881b7164b11ba395268dc031011983ba7f236374f651

SHA512
07a393194d2ee6d122e79f2139d8955750b8ecaa71122f8e1ca560409b8de42a25295aa5439665a6cbcd637476a8222ccba79b8e48f74bafeb312cae0c1b2081

Download Submit
\Users\Admin\AppData\Local\Temp\ziyzw.exe

Filesize
172KB

MD5
9f946e554728a4ec3ae0a58fc3c66791

SHA1
16b6be949056dacc856aa16844b698c04932a49a

SHA256
781dbc6244f51600ddeff69f9c5b79df7217d81e18420cdcf0c4e4933d207db8

SHA512
dca8bd4e2bfd69585a955de083de88942675f2c8eb55292fa182864481a8ed53b9c414e77390fe150666f46135d9ab94b96114f8432a7532c27747ba36e91e30

Download Submit
memory/1512-48-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/1512-47-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/1512-43-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/1512-42-0x0000000000CD0000-0x0000000000D69000-memory.dmp

Filesize
612KB

Download
memory/2144-24-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2144-20-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2144-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2144-41-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2144-39-0x0000000002C50000-0x0000000002CE9000-memory.dmp

Filesize
612KB

Download
memory/2408-19-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/2408-0-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/2408-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x00000000026E0000-0x0000000002761000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing