urelas | 26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9

General

Target

26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
Size

338KB
MD5

3496996eb0e0e23e58f45abf9150f2c0
SHA1

d68d5ab36ea32ea14d0bd4bf96ef1760e10db9ec
SHA256

26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9
SHA512

1fa01db9a83193d5087eb193d4e5f3af284d8df876b67fca8e0a895889ace2b07125777b81134bdfd65caa483cec4a0a2277ab8b7a88bd865cc2bc27da975bd9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKog2:vHW138/iXWlK885rKlGSekcj66ciK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1920	ifmoe.exe
1516	vutew.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
1920	ifmoe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifmoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vutew.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe
1516	vutew.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1920	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	30
PID 2504 wrote to memory of 1920	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	30
PID 2504 wrote to memory of 1920	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	30
PID 2504 wrote to memory of 1920	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	30
PID 2504 wrote to memory of 2164	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	31
PID 2504 wrote to memory of 2164	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	31
PID 2504 wrote to memory of 2164	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	31
PID 2504 wrote to memory of 2164	2504	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	31
PID 1920 wrote to memory of 1516	1920	ifmoe.exe	34
PID 1920 wrote to memory of 1516	1920	ifmoe.exe	34
PID 1920 wrote to memory of 1516	1920	ifmoe.exe	34
PID 1920 wrote to memory of 1516	1920	ifmoe.exe	34

C:\Users\Admin\AppData\Local\Temp\26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
"C:\Users\Admin\AppData\Local\Temp\26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\ifmoe.exe
  "C:\Users\Admin\AppData\Local\Temp\ifmoe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\vutew.exe
    "C:\Users\Admin\AppData\Local\Temp\vutew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d0535cfbd323ed445dbd3d51e940b7df

SHA1
23e689bd678fbc9b6bdcb814cce903939350621b

SHA256
6c05ed8be67f7cbd34647c4605c91bf728e449adb2cf833a81905b4c5dca83bc

SHA512
468513cb97ce3270f1e360c2db3d6508b598a7e6bf1d79f7f5805086a0148aec1d0bd2f87fd68a124170815f26d7606da4b853ee0aeaceb7e806a427af023810

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a9fa6a9f7b6e5fc13fcd267e3ba42ae5

SHA1
50ceed537e994000dcdaf6f8b512a7321e6bb473

SHA256
dce9034aa0df236446d64d770785ccd4a3820ddcbfca67096971f5493690de11

SHA512
87532155eb3820384853aaa3a6f6b4f66e98804852e6795331b9e9a5bd3512d565585ac18b671b3c89910e2a0bcc4d975395d1e6f2d8bdca958a6f7bd4308097

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifmoe.exe

Filesize
338KB

MD5
ace345df5b5cdb94f7cf8973f20f11e8

SHA1
342177a52acdaa0e7846d29492c32bfa1e4a98fb

SHA256
00b3ed18ebc29a2e4d0ea305b8d4b36017eb12f48f1cb0d3af1beafeba0f5576

SHA512
56dc1f0d85a488c2a3f95bc0cea330a61adc259fc032a90461696d06ac5c37384cdb294901540ff9c28846bce32ec399c49bbaf287ac1109ab6c0fb35f133af1

Download Submit
\Users\Admin\AppData\Local\Temp\vutew.exe

Filesize
172KB

MD5
715a7b4a810984d9d4aabe94ffac10ef

SHA1
87777bbcb3fc286b599de124890866e79dbda151

SHA256
86ef5f8068ba2347340731ef5eddaec623db041043a2399fca67ba1a52447a38

SHA512
cfdbcfc243ebb7649320491c0b589497393c1cdd97abc66b50b4f17ae63423b92439e1be0ced4f912c7649acb5954092c02b88f5335ce6b47a604e544bd29217

Download Submit
memory/1516-49-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1516-48-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1516-44-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1516-43-0x0000000000AE0000-0x0000000000B79000-memory.dmp

Filesize
612KB

Download
memory/1920-37-0x0000000002DD0000-0x0000000002E69000-memory.dmp

Filesize
612KB

Download
memory/1920-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1920-24-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/1920-18-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/1920-42-0x00000000008D0000-0x0000000000951000-memory.dmp

Filesize
516KB

Download
memory/1920-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2504-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2504-17-0x0000000002690000-0x0000000002711000-memory.dmp

Filesize
516KB

Download
memory/2504-21-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/2504-0-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing