urelas | ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6

General

Target

ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
Size

335KB
MD5

28b8654544104c69057653f470567020
SHA1

75c7d9aaf9238f5ea4a74e8a021380479b3db10f
SHA256

ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6
SHA512

87c67b343f56522958ba1f539f07ae4b403655f99beccafeb7cf03a6f1b540f18a0ea2941607029468fd1e6e81b2cdf3d63d3103aa25b6225d4fbca5ee7dbbd1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrN:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	pafuz.exe
2884	geher.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
2332	pafuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pafuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geher.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe
2884	geher.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2332	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	30
PID 1740 wrote to memory of 2332	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	30
PID 1740 wrote to memory of 2332	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	30
PID 1740 wrote to memory of 2332	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	30
PID 1740 wrote to memory of 2312	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	31
PID 1740 wrote to memory of 2312	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	31
PID 1740 wrote to memory of 2312	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	31
PID 1740 wrote to memory of 2312	1740	ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe	31
PID 2332 wrote to memory of 2884	2332	pafuz.exe	34
PID 2332 wrote to memory of 2884	2332	pafuz.exe	34
PID 2332 wrote to memory of 2884	2332	pafuz.exe	34
PID 2332 wrote to memory of 2884	2332	pafuz.exe	34

C:\Users\Admin\AppData\Local\Temp\ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe
"C:\Users\Admin\AppData\Local\Temp\ece94b4e16e8b3b5423363d9340018f02d1b2cb837109def6ef2f838d99585c6N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\pafuz.exe
  "C:\Users\Admin\AppData\Local\Temp\pafuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\geher.exe
    "C:\Users\Admin\AppData\Local\Temp\geher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2ef22e5faadc14ff7a413d15647e3ca2

SHA1
04b748a9cb6cec12e0a723acad93b47e1e9db424

SHA256
5b30fda84897092fb8374c8f9f7af5dced96cea14b2f01725f54d88f159a7d4f

SHA512
7b0b17e6ae9b2f41b55cdb4dcd609dfe07128d2c8327448536ac3347f3295146fea26c224e0236954d2fa41841e23636d80390bcf66c43172482b9908b97046e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48ab5f6f7471773d30cc514dc097e4be

SHA1
c8e1497e3e4ec7f009171b6315be6f7baac650b3

SHA256
0a8ac13b2ca97a7f7fa09a68901792e28c524d92dc8d46cfafef07bd89b79cfd

SHA512
6804e6ec9a615a6ba72f88c89b051f327f48faae2f853052ad4b8d68ed3042d60167817e842ebbebd96bfec29664c0e4ccfd336eb6385477fe340b27b6aeb5a7

Download Submit
\Users\Admin\AppData\Local\Temp\geher.exe

Filesize
172KB

MD5
f57deff951d3b35c6e1965711bebf7d3

SHA1
6047c1eeb3bf71a64d837caf0de8cc860ba11270

SHA256
5f017d43785ded9feba67f5f47d5c17603318cadfa32cbca5ba4c337dad81d88

SHA512
9e39ab452d83c1f555d22655838f8f1250d5577e9827bd12a32b3215a37d43def85261bb7b0ff88b9a85cc3e9b2060651804b057f5a351217396e2c6d68ea60f

Download Submit
\Users\Admin\AppData\Local\Temp\pafuz.exe

Filesize
335KB

MD5
090872efb4f4adc2cdd215fbf72938f0

SHA1
482ec77ebb634a4d63411b8e4db58d32e072c9e6

SHA256
311c5291ec7018f7cc01c68dfa417decc6d7192458baa7b0e6bad838b926aba5

SHA512
174f69ab8fb7303f1532cb11097a759773f7c23850d5ce17effbf0ba2d020c9675f1d445db46fcf69e42b9061481052d36f1e848007e1c348ea765d9df073114

Download Submit
memory/1740-8-0x00000000025D0000-0x0000000002651000-memory.dmp

Filesize
516KB

Download
memory/1740-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1740-21-0x0000000000BA0000-0x0000000000C21000-memory.dmp

Filesize
516KB

Download
memory/1740-0-0x0000000000BA0000-0x0000000000C21000-memory.dmp

Filesize
516KB

Download
memory/2332-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-11-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/2332-24-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/2332-38-0x00000000032D0000-0x0000000003369000-memory.dmp

Filesize
612KB

Download
memory/2332-40-0x0000000000290000-0x0000000000311000-memory.dmp

Filesize
516KB

Download
memory/2884-43-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2884-42-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2884-47-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download
memory/2884-48-0x0000000000040000-0x00000000000D9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing