urelas | 1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60

General

Target

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
Size

337KB
MD5

e6b76480839da7c11075198a296521db
SHA1

16ea461d8ccd09bda7f9535d24448bc46d897425
SHA256

1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60
SHA512

3f0a99d13b9a77f0570f45c9be72c0e52ae34101de65924ee6091e2df8238c1e9e433453569b17ed8caa142fb603c3c163574a9f19063b0793a56665dc4fc440
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKCM:vHW138/iXWlK885rKlGSekcj66ciZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	sodoa.exe
2908	jujyd.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
2288	sodoa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sodoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jujyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe
2908	jujyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2288	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2256 wrote to memory of 2288	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2256 wrote to memory of 2288	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2256 wrote to memory of 2288	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	31
PID 2256 wrote to memory of 2108	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	32
PID 2256 wrote to memory of 2108	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	32
PID 2256 wrote to memory of 2108	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	32
PID 2256 wrote to memory of 2108	2256	1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe	32
PID 2288 wrote to memory of 2908	2288	sodoa.exe	35
PID 2288 wrote to memory of 2908	2288	sodoa.exe	35
PID 2288 wrote to memory of 2908	2288	sodoa.exe	35
PID 2288 wrote to memory of 2908	2288	sodoa.exe	35

C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe
"C:\Users\Admin\AppData\Local\Temp\1349c2e9afb18cd283d583d7a7b12be64fc8c50b777e88961c851ee535b7da60.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\sodoa.exe
  "C:\Users\Admin\AppData\Local\Temp\sodoa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\jujyd.exe
    "C:\Users\Admin\AppData\Local\Temp\jujyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a0c488d232db3ca63d36e74b97204d55

SHA1
208d0c1a9151a12e595a11e8619232e6cd127acb

SHA256
11b4793224a20e7bd0c38fc6fb7fb81bbe7aee3223dc73ba80bcddd263054c05

SHA512
73a0f5565c767226837add0668e88825f0cc18b90859b32225eb5e5da5d93002c8a8cda5a01c07d8539e205e9ce393deb745a99c5e207409b88aeac4327721d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
61783815239d9808b7295c0b82e4787f

SHA1
9203528fc9909f4f8e850f7614d6b563d1600f5a

SHA256
ee6532efdef15e8cd90f60c6d0950faf5dcbbcbb6e7afdf5b7d20809efecaed3

SHA512
1cabae6004f5223edf46b5c755af28c69f8ce39d1fae92017eff1db17b24be0efa9196a948ab814d7fcdfebf77d8a11258ead89744fe58c129b08ae773ec1149

Download Submit
\Users\Admin\AppData\Local\Temp\jujyd.exe

Filesize
172KB

MD5
8f8b4730a0b26c5a6e016db92b9cd1fe

SHA1
8e70e5489a70aebb1aefb0ec42d1897e126da250

SHA256
c458c42fea822e30841f65550fba1393ec6e4a86ebf8f59ca257d32418e8b3f4

SHA512
9be311268a1398628c1d40382e9bc6f87308881e9d7b3a9ce8000392fb2c6f790e5e680b41e03b4eb9dc1bcfd9aba3efe544d198a7f5773a901328f96efa8107

Download Submit
\Users\Admin\AppData\Local\Temp\sodoa.exe

Filesize
337KB

MD5
7de597c430c8d604ce7a044f6586e3fe

SHA1
7771e6cc0ac62a73e932ba97c253843a5a653061

SHA256
253ba70fe70edac964ec1154df5a396104371dcead9b1161b3d4af24c3905bb6

SHA512
98df6e4e45bf1033fb81aaa19675b71185441a7ca5f1753a87144a339d794afbba98b6def78bb74ac366c7a0e010c704a2c1201b8e96f4f20cf03bf3a9d3b9ed

Download Submit
memory/2256-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2256-7-0x00000000020F0000-0x0000000002171000-memory.dmp

Filesize
516KB

Download
memory/2256-0-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2256-21-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2288-11-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2288-24-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2288-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2288-39-0x00000000012A0000-0x0000000001321000-memory.dmp

Filesize
516KB

Download
memory/2288-40-0x00000000040F0000-0x0000000004189000-memory.dmp

Filesize
612KB

Download
memory/2908-42-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2908-43-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2908-47-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2908-48-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing