urelas | 26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9

General

Target

26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
Size

338KB
MD5

3496996eb0e0e23e58f45abf9150f2c0
SHA1

d68d5ab36ea32ea14d0bd4bf96ef1760e10db9ec
SHA256

26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9
SHA512

1fa01db9a83193d5087eb193d4e5f3af284d8df876b67fca8e0a895889ace2b07125777b81134bdfd65caa483cec4a0a2277ab8b7a88bd865cc2bc27da975bd9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKog2:vHW138/iXWlK885rKlGSekcj66ciK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dohig.exe

Executes dropped EXE 2 IoCs

pid	Process
1916	dohig.exe
3108	vinog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dohig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vinog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe
3108	vinog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1916	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	82
PID 2328 wrote to memory of 1916	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	82
PID 2328 wrote to memory of 1916	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	82
PID 2328 wrote to memory of 2248	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	83
PID 2328 wrote to memory of 2248	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	83
PID 2328 wrote to memory of 2248	2328	26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe	83
PID 1916 wrote to memory of 3108	1916	dohig.exe	94
PID 1916 wrote to memory of 3108	1916	dohig.exe	94
PID 1916 wrote to memory of 3108	1916	dohig.exe	94

C:\Users\Admin\AppData\Local\Temp\26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe
"C:\Users\Admin\AppData\Local\Temp\26d1ce9c96719731a3afc255abf7849d75bb381bc4064e6b71db0d4b28ece0b9N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\dohig.exe
  "C:\Users\Admin\AppData\Local\Temp\dohig.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\vinog.exe
    "C:\Users\Admin\AppData\Local\Temp\vinog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d0535cfbd323ed445dbd3d51e940b7df

SHA1
23e689bd678fbc9b6bdcb814cce903939350621b

SHA256
6c05ed8be67f7cbd34647c4605c91bf728e449adb2cf833a81905b4c5dca83bc

SHA512
468513cb97ce3270f1e360c2db3d6508b598a7e6bf1d79f7f5805086a0148aec1d0bd2f87fd68a124170815f26d7606da4b853ee0aeaceb7e806a427af023810

Download Submit
C:\Users\Admin\AppData\Local\Temp\dohig.exe

Filesize
338KB

MD5
6e5ef017aa5740f13661421ac8f19795

SHA1
9df3646fc3fa980c1497ae895dd3a93245639eb5

SHA256
25ee388430a88068351d8b456c14b1acdf854c85fc8c59b7ff6cd959a77453cd

SHA512
1660151703496d404c4f4cc87b134403a7f88f9e44bcdb9b2697e95e83dc3911b15dac85ad17a24a70b5859eb32c8037cb53fa79bf1dcc2807e91560423212f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
75cf36f8760b050e6e78449e5e22d0e3

SHA1
7b72dcd7e938133abdde7347958f6a4ef86840bb

SHA256
95cfa22adaad6afe9744c84039e71bcc84eab3cf4690f4bbce3747229b13c853

SHA512
82a8346f1023f63649190b3e856e57772f09c1d571dfe7fb6430d2f44914cb058cad77e0a8a1632018518df605d8aa9c8fca3dab46d0887c29b3f0b4cf313f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinog.exe

Filesize
172KB

MD5
f73798727197c4dcb4ef8a02e8dec579

SHA1
f5e32236aa96daa00ad48a9749e035cf0f755e2f

SHA256
1b8b028e83790fb3f612c9f382f230a24edaac190eac1820c5648b720bc7af88

SHA512
3c09c9109747e0a241be28d029b95eaddbdda5ae2d0abc3aedf5c567d9b5c0aab7fb0566f2420a0e7fab3fc95db3ddebf83fd3a35a6c03f0ab17ed68d574c273

Download Submit
memory/1916-20-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/1916-21-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1916-12-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/1916-13-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1916-44-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2328-0-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/2328-1-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2328-17-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/3108-38-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/3108-39-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download
memory/3108-41-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/3108-47-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download
memory/3108-46-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download
memory/3108-48-0x0000000000E30000-0x0000000000EC9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing