urelas | 6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84

General

Target

6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
Size

335KB
MD5

1056543fddaacdaa0e7f667cfb292106
SHA1

8f3e12db65839e4546b7ebe5bd378b5fb264f3b2
SHA256

6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84
SHA512

2b720cd76f80a376d510f421bd0f2a71d76270aa1a21f8197217a9411140d7d6b855d3828cab2d9914e0cacb12c075f5b527c2b8a68429bdce254b7e44b3fb58
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIck:vHW138/iXWlK885rKlGSekcj66cid

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	vebir.exe
2672	guhab.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
2352	vebir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vebir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guhab.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe
2672	guhab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2352	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	31
PID 2480 wrote to memory of 2352	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	31
PID 2480 wrote to memory of 2352	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	31
PID 2480 wrote to memory of 2352	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	31
PID 2480 wrote to memory of 2072	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	32
PID 2480 wrote to memory of 2072	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	32
PID 2480 wrote to memory of 2072	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	32
PID 2480 wrote to memory of 2072	2480	6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe	32
PID 2352 wrote to memory of 2672	2352	vebir.exe	35
PID 2352 wrote to memory of 2672	2352	vebir.exe	35
PID 2352 wrote to memory of 2672	2352	vebir.exe	35
PID 2352 wrote to memory of 2672	2352	vebir.exe	35

C:\Users\Admin\AppData\Local\Temp\6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe
"C:\Users\Admin\AppData\Local\Temp\6aefa01d1ee480134c55e848783eb2c6752b36a56c38c17d0a9ba9070fe94f84.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\vebir.exe
  "C:\Users\Admin\AppData\Local\Temp\vebir.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\guhab.exe
    "C:\Users\Admin\AppData\Local\Temp\guhab.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
cee2f67ee7579e9cf48fb476ed270f1d

SHA1
98b109b493a3e26f472dafe405708cdbfca22266

SHA256
d742f50e82574b5bf12f60843cb7f23c9b9f544a0ba61fa26c311039d4e4b468

SHA512
e769efe7987a586036829754a11ed5ebbead7b096727749e55c1135ec32f87043a1b515634af01fb5907f5f837f0f30da2e50131b572226a708d67b6986dcda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c81fc657bcb2affd459dcc70fc715a71

SHA1
4623b61b1dcada0ed6b5c1702ca9170b1ac7167e

SHA256
525773d2c6d7316cbcbd1d7a3c0be90c2884025a601c03e575d8684fc51cff0c

SHA512
04d4eef90f506b323893b2bc8c7526b3e7e0906b4865f78391fa5cad15e270b14582d7e4c3c382a13970fc3be342b2f7a5c2a4df9b7cb512999d7f44e36c323b

Download Submit
\Users\Admin\AppData\Local\Temp\guhab.exe

Filesize
172KB

MD5
cd7fcf410c9a60149211748dd41377e4

SHA1
0659457ab432b6a7a731cdb9c6cef20ae06526f1

SHA256
7f5d37a984e1f5f2ef40bf8f1c950a79ba2b9f32762d82661afe2a1e4224b901

SHA512
65b61acdf998b27901abc5996bfa81d6f16e9a779d7c9794df24159176fbb075fda7b6dd72e8c1def66d39888e88d1db1b7db02de8538bd679d209bf87027f42

Download Submit
\Users\Admin\AppData\Local\Temp\vebir.exe

Filesize
335KB

MD5
39cdbb5dbf201265241000ff576574d6

SHA1
0b5612a901c71751be392dfc475c20311a5488ea

SHA256
07897175e17f31c489fc5c5f647941b91446b0156e162f5e60834bf4b038fb40

SHA512
0f0d172820053ccb39d4ec9055bca0702ebc0270b7b6e26662e69e10e95cb41c82973f9a2a8332256dd082a88950c69a6e27a7266bd2451af8954d88729ed4ca

Download Submit
memory/2352-42-0x00000000037E0000-0x0000000003879000-memory.dmp

Filesize
612KB

Download
memory/2352-24-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/2352-12-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/2352-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2352-45-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/2480-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-21-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2480-6-0x0000000002B80000-0x0000000002C01000-memory.dmp

Filesize
516KB

Download
memory/2480-0-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2672-39-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/2672-43-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/2672-47-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/2672-48-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing