urelas | 808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06ab

General

Target

808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
Size

593KB
MD5

a620bb4108679de3918a72f658aea8b0
SHA1

55d20fe7e10f07a0b48c3d9cb00a1fc92e188ce9
SHA256

808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06ab
SHA512

5efd7e4149934370f59760ee48711dd8a85a8001af732d4eb0980ab4a25a0d90f26c07340bbba2ed9fae4b44d8b638756466ca3a989c96eda63f220322292611
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRf:C4jm0Sat7Az/gZvTIq2WKkw0Fp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	nelej.exe
1336	lubot.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
3032	nelej.exe
3032	nelej.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nelej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lubot.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe
1336	lubot.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3032	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	30
PID 2384 wrote to memory of 3032	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	30
PID 2384 wrote to memory of 3032	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	30
PID 2384 wrote to memory of 3032	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	30
PID 2384 wrote to memory of 2380	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	31
PID 2384 wrote to memory of 2380	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	31
PID 2384 wrote to memory of 2380	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	31
PID 2384 wrote to memory of 2380	2384	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	31
PID 3032 wrote to memory of 1336	3032	nelej.exe	34
PID 3032 wrote to memory of 1336	3032	nelej.exe	34
PID 3032 wrote to memory of 1336	3032	nelej.exe	34
PID 3032 wrote to memory of 1336	3032	nelej.exe	34

C:\Users\Admin\AppData\Local\Temp\808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
"C:\Users\Admin\AppData\Local\Temp\808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\nelej.exe
  "C:\Users\Admin\AppData\Local\Temp\nelej.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\lubot.exe
    "C:\Users\Admin\AppData\Local\Temp\lubot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b2ca20597b46f2aa51506d6f52aecd83

SHA1
84795bf4163ce464b114888910e4d1d6e1335b6e

SHA256
0d97fe0c3b4fc39d4cd8350414d0f8ca94f09b57efca41fb206df799e4792464

SHA512
fefcaee182efc5758307647200fa4e75a8709559d2fabaf2bbad1d93f5d492b7c02944ce2fc41a4844347c763990989d0f4bd8095e55c7bd0e7371b42b68b0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bb57a6dbb2db7c16d562d219a40f70f4

SHA1
2792bb487f621dfc2e7cb630b7ddc70f097bb9bc

SHA256
dfb6fa98563c81154705520793228b6d85109f97eed82e8769b570268a62d7b6

SHA512
78a09fd11e1554f02e5f8f2d7318e76e68fb03349cacaece92614eb68e104b8e52a2c65b0915160ea169e4b4bab668f32ced4b29cc68d0b0462e1cb4c93f6c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nelej.exe

Filesize
593KB

MD5
1295b4112d8567181b38872e6a5fc7e0

SHA1
942dcd91b32a38da791709228247ea88edd8cf1b

SHA256
1e38409d455e7f4695f259e5e532acf6509d63fba4e2eb7cff1dcbfabbac4677

SHA512
39f6216830f9846b4527c68a23492f5c2fb1171820109b254611a7a45d007ac4eaa5df7dcb5ead75187492356b055cba36ffa3e97ce104dfbf66f4c7e7a62dd6

Download Submit
\Users\Admin\AppData\Local\Temp\lubot.exe

Filesize
323KB

MD5
70cc8c9b91489a0539d7d0f214bc7024

SHA1
f27ed9798e955ce10fd405936acdb658a9e9d294

SHA256
df9a558e6fbc4f3659084ea9397dcacd746c58563548371f5d065e1b754948ad

SHA512
be8c0a974544669e8276341096e79ace38f8aeeda04cb3d931a3793295fec068897ffbf2a6dce5104f0a3aae2bacdae8825b9c3e056c955d013f5a7d55f95cf3

Download Submit
\Users\Admin\AppData\Local\Temp\nelej.exe

Filesize
593KB

MD5
9316f902415a2df991c2dadeefd57218

SHA1
6856fe9879b78be92483cc0100540a818bd8de0b

SHA256
81d02ad28245f145b146e0515278380b0586da8c9791f5920e5c90e4d4f368fe

SHA512
6b0ce53482bb0e89822b665d0d778c32ff10d7637d91ed274820e174380f3529988802677aa380e716bb5318df0fbbc6e258830af03925a02fa53a47e6ad4f6f

Download Submit
memory/1336-32-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1336-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1336-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2384-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-29-0x00000000030B0000-0x0000000003147000-memory.dmp

Filesize
604KB

Download
memory/3032-28-0x00000000030B0000-0x0000000003147000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing