urelas | 1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddef

General

Target

1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
Size

336KB
MD5

63112463c8d44d312cded96e7f033800
SHA1

f48c48882f0d5348f6e99a27599efbaf5e80d9e1
SHA256

1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddef
SHA512

f514ec1c8070105d5cfdc38249bec80689d18405004e55b8431c3eec1c52c1e5bd4ff7a94d109b15b66c30765c442f9442a6cfcf857830d7f2275086edc7e309
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrE:vHW138/iXWlK885rKlGSekcj66ci+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	boqec.exe
1484	uhnux.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
2200	boqec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boqec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhnux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe
1484	uhnux.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2200	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	30
PID 2368 wrote to memory of 2200	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	30
PID 2368 wrote to memory of 2200	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	30
PID 2368 wrote to memory of 2200	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	30
PID 2368 wrote to memory of 2796	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	31
PID 2368 wrote to memory of 2796	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	31
PID 2368 wrote to memory of 2796	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	31
PID 2368 wrote to memory of 2796	2368	1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe	31
PID 2200 wrote to memory of 1484	2200	boqec.exe	34
PID 2200 wrote to memory of 1484	2200	boqec.exe	34
PID 2200 wrote to memory of 1484	2200	boqec.exe	34
PID 2200 wrote to memory of 1484	2200	boqec.exe	34

C:\Users\Admin\AppData\Local\Temp\1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bc4c25071312e00e5480469700b34e8c661ff860aee6cb228c35507f6ddefN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\boqec.exe
  "C:\Users\Admin\AppData\Local\Temp\boqec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\uhnux.exe
    "C:\Users\Admin\AppData\Local\Temp\uhnux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
95c44f9233f0346622bc11e74db7f597

SHA1
74cf4f152b9b6ba29fc863f725f10a9bf58751ef

SHA256
48018e359e9c91751e1d29a242bdc48d01703d13412dd5f5badc7c9787090613

SHA512
14b452fa1d4a82c94908216cdc8963cc43b7b2cb0ce93ce3e38e730180e2684258eb89891565734036e8fb315ed9f7db5433da5680f725d0b05e22e88c2f95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\boqec.exe

Filesize
336KB

MD5
7968eb64fd258095367ba5b750fc12aa

SHA1
3c36b3cd152f100d82c82eefd3906e0388b1ff42

SHA256
4385fba037e03f66c615c65bb4459c0eeef77b84fe3a18ee9ec046b3a632bdbf

SHA512
0ef7ff2fca3f4a352b8cef8f391612dcea13143c23d9e6cc1fe9ace7897691fe0fa2d1a19c2932f7fe66a621f543d9ed20a15f163dbdc1854ac689b73842990a

Download Submit
C:\Users\Admin\AppData\Local\Temp\boqec.exe

Filesize
336KB

MD5
2b70e02940bc7c79ce928f58156baeb9

SHA1
7355942696695d3e1a7e3bfb0674eac4c385501c

SHA256
aaff0c1dc17be91c1b2f0c98a5d8fe9fa888c4b1e4f1ba922b6d86216e4db3dd

SHA512
72b2cd223304e4eaaadbc002b89ef8f3e2711b787a231bf7b256e6dde33ea75cee55853dbfa2ef28e1440040c1538b8ab061a09d7a20146a60ce2cf40b60e43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8aca0fab3281749e12b0399d507ef52d

SHA1
9d59d8d796d6ba7dfd553ab3b887b123bff227dd

SHA256
1256dc0a6a5a7c21ba882fc30cd43902d32f64cf9418797bf17b63a3f4906d1f

SHA512
4b5028f413be7f419119fce909bd4bef600c914928c32fc432c883b9bf070c76f7f6ed9c2eb2666cd418515c2a55d6e623f4fb44e68e281da6fceccf5db6cc87

Download Submit
\Users\Admin\AppData\Local\Temp\uhnux.exe

Filesize
172KB

MD5
d959bfc39a2003d6fba2c29406eb964c

SHA1
bba77ed3761038db16e7eeec5672438db39dcb6d

SHA256
31bd60973f208446db81f92ce500a50159ea94d49eedd6b2fc7a38febca301a9

SHA512
ad9956b9b4348af78cca1334148faa81f2186af075875b6c2e2dc05e6546be6ace9361f073519fe19417c6b5727e5b7a1b1ba709493bef4ab19b295002601740

Download Submit
memory/1484-42-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/1484-43-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/1484-48-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/1484-49-0x0000000000240000-0x00000000002D9000-memory.dmp

Filesize
612KB

Download
memory/2200-20-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2200-24-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2200-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2200-41-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2200-39-0x0000000002BE0000-0x0000000002C79000-memory.dmp

Filesize
612KB

Download
memory/2368-19-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/2368-11-0x0000000000F00000-0x0000000000F81000-memory.dmp

Filesize
516KB

Download
memory/2368-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-0-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing