urelas | ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb

General

Target

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Size

336KB
MD5

af16791ad664dbfb2e700be33ef6833e
SHA1

200af680d9afd7478405ce73100275eb26dc451b
SHA256

ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb
SHA512

03b59cbff8889d256946b36507d8c460cc74536e76a52ed76c39bdb2b4c7f32d22ce2c33870a521cad376c759a85d6d4b4b08406916b7d566cfd0b3dd2b7c40e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIrc:vHW138/iXWlK885rKlGSekcj66ci6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	gabyg.exe
2792	uhmyz.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
2776	gabyg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gabyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhmyz.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe
2792	uhmyz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2776	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2384 wrote to memory of 2776	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2384 wrote to memory of 2776	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2384 wrote to memory of 2776	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	30
PID 2384 wrote to memory of 2800	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2384 wrote to memory of 2800	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2384 wrote to memory of 2800	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2384 wrote to memory of 2800	2384	ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe	31
PID 2776 wrote to memory of 2792	2776	gabyg.exe	34
PID 2776 wrote to memory of 2792	2776	gabyg.exe	34
PID 2776 wrote to memory of 2792	2776	gabyg.exe	34
PID 2776 wrote to memory of 2792	2776	gabyg.exe	34

C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe
"C:\Users\Admin\AppData\Local\Temp\ec13597d4586e4bcf8577a5a63494831e28cfedd1a763fb9cd7116de155e8afb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\gabyg.exe
  "C:\Users\Admin\AppData\Local\Temp\gabyg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\uhmyz.exe
    "C:\Users\Admin\AppData\Local\Temp\uhmyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b4e79e0f794ffabf6e410d4b9d8ab9e2

SHA1
6f8bf0c97b7d39bd1603de5d4132db36ce0b402f

SHA256
4bf337a3b57c15ad8b0975636630e8db677a9c8301a5566dab44a584b1205be2

SHA512
9b955287ecf2d8f385d1235357fada05901cbd75572556d9efc4eb12073d3b7f34f190e53c3c8668db98cb5357f65c4fa2531cad26eaa85bf25011559570ec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c84f84d32b1d6d31e3a3fe481a492ca4

SHA1
afac0fa27c0cb6afd22355333261a6f24c0aa819

SHA256
4c2ab609db1859ef2f8235eeadb2beec599964f69b98be48077bb1005b5ae789

SHA512
1906955b4070fa275078464926d4dbf321c8cad90cf141376c130d943807e9ec47e329aac1ec492472542b032050227402c52cf8b3c512ed78c5bafd1753e84f

Download Submit
\Users\Admin\AppData\Local\Temp\gabyg.exe

Filesize
336KB

MD5
95c72f4c351cf1490a231d2946bc7b57

SHA1
0d3df5c4edcf72f68d76c042c7cc0d748b307377

SHA256
b93d112486b05ee139eeda7e15ba1c590befe8849802fef9891a73b5fe963c79

SHA512
d42384fb67347b698afc9d1fa9c79f3ee74a0ab571ac4931c6816299282e35ec0349fc02b3f9c1efeb8ec91e24434d8cd670f9ab62d4bcbf2111c61f83971953

Download Submit
\Users\Admin\AppData\Local\Temp\uhmyz.exe

Filesize
172KB

MD5
d710b237266afb6f0018d8f1c8ae8445

SHA1
0f82daa1e127e1575e45f82d6b016878a8c55aaa

SHA256
c121a2743a320ea8b65cb2625d5833128f78e9a947eecc3be63e56f0b076b822

SHA512
37da7f8730b7c92c7d091fe162b670e963b43c2999dae95820ae5c3b925be0b05dc7a765909e0356bef4e8b8bcc33e622c8e6c329a581bcaf01585c00c11b881

Download Submit
memory/2384-16-0x00000000025C0000-0x0000000002641000-memory.dmp

Filesize
516KB

Download
memory/2384-0-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/2384-20-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/2384-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2776-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/2776-24-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/2776-37-0x0000000003600000-0x0000000003699000-memory.dmp

Filesize
612KB

Download
memory/2776-40-0x0000000000980000-0x0000000000A01000-memory.dmp

Filesize
516KB

Download
memory/2792-42-0x00000000008D0000-0x0000000000969000-memory.dmp

Filesize
612KB

Download
memory/2792-43-0x00000000008D0000-0x0000000000969000-memory.dmp

Filesize
612KB

Download
memory/2792-47-0x00000000008D0000-0x0000000000969000-memory.dmp

Filesize
612KB

Download
memory/2792-48-0x00000000008D0000-0x0000000000969000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing