urelas | 4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84

General

Target

4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe
Size

338KB
MD5

f8859f15a4d4487db21bb5be15231470
SHA1

7b09194ce75e78b96a06d806280449d701961300
SHA256

4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84
SHA512

e97ab670f8df2e03e834e6cb068bfec1e19b816daf31b6aaabf40161472ae306d281f4e387c5d76090876d6882bc6680d336264118371f6ea2c03f1760e28db6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKogi:vHW138/iXWlK885rKlGSekcj66cie

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	giird.exe
2980	vypeg.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe
2528	giird.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giird.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vypeg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe
2980	vypeg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2528	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	30
PID 1728 wrote to memory of 2528	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	30
PID 1728 wrote to memory of 2528	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	30
PID 1728 wrote to memory of 2528	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	30
PID 1728 wrote to memory of 2988	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	31
PID 1728 wrote to memory of 2988	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	31
PID 1728 wrote to memory of 2988	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	31
PID 1728 wrote to memory of 2988	1728	4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe	31
PID 2528 wrote to memory of 2980	2528	giird.exe	34
PID 2528 wrote to memory of 2980	2528	giird.exe	34
PID 2528 wrote to memory of 2980	2528	giird.exe	34
PID 2528 wrote to memory of 2980	2528	giird.exe	34

C:\Users\Admin\AppData\Local\Temp\4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe
"C:\Users\Admin\AppData\Local\Temp\4ca6998d794fd62cf03483bbe92b54f7b59b4d132e779529a54377717d241d84.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\giird.exe
  "C:\Users\Admin\AppData\Local\Temp\giird.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\vypeg.exe
    "C:\Users\Admin\AppData\Local\Temp\vypeg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3a87d228cd7ac1503813e8c4dcb295cb

SHA1
4c21092a9a916949b2577c24a4e051d7741b74a4

SHA256
491f65dd41d09015edb38abbd12a2f37b73667f1c14afcf0a04d7216f4fc68be

SHA512
18c8512555481600e63ce07aefb38048896ffaaa1b7f90d508594cfc05ebb00b989b7a8f87b915c9c1c2fb3b17ee3bccf278a36b31f7036cdff570a31778f12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4d78c27f369c074d6ed9f70e3a3f5ebd

SHA1
74a6d1b139b7d585d9c5b458c0787992ed0f9233

SHA256
f0d80a6749e40e063983a7d9161cc955399ec97a40a6440fbc42c56ebfd84427

SHA512
cbfd0d712b74dfdcb64e0248bc640ad8f0a3569f03e8d0c6e603ca5339cad715eeb30ff411effa5af7840819b12df5b876c123d8305d383886a7ad5b3b2bf48b

Download Submit
\Users\Admin\AppData\Local\Temp\giird.exe

Filesize
338KB

MD5
08111797d2836aa1873d8fb42a0a5691

SHA1
4ce14e9ce325c9c3ae7bba8e57d845480a3776fa

SHA256
aa65bd7bb1feae71629eafedad0ba4c56c74ce4eed81a130336418b88a6115db

SHA512
86a41e688713a0661a9597bf4092c9a76d27d47603b4ab5429104016161a8c49e03710a58876d4f399b68fe49fbf81f54309dfbfaa160080730521eb25c3104c

Download Submit
\Users\Admin\AppData\Local\Temp\vypeg.exe

Filesize
172KB

MD5
05380cab69bfc0946264db590b8406dd

SHA1
7bc50e2d6f1c10aca12c6d403d9432f8783d1409

SHA256
ba1d314e625b467ebf0314cfe728e7bed013aa12b43251efa721db4043ba36a9

SHA512
8a048e20a29e0e29f06a69d7d8a8a5626ba2b7c056ed5695dfcf7b9acb053115906915da6c73953c28af5fa7d88481138d51f12853d780599843995c1bfec52f

Download Submit
memory/1728-9-0x00000000020D0000-0x0000000002151000-memory.dmp

Filesize
516KB

Download
memory/1728-0-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/1728-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1728-21-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/2528-11-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2528-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2528-24-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2528-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2528-38-0x0000000003580000-0x0000000003619000-memory.dmp

Filesize
612KB

Download
memory/2528-42-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/2980-46-0x0000000000880000-0x0000000000919000-memory.dmp

Filesize
612KB

Download
memory/2980-43-0x0000000000880000-0x0000000000919000-memory.dmp

Filesize
612KB

Download
memory/2980-48-0x0000000000880000-0x0000000000919000-memory.dmp

Filesize
612KB

Download
memory/2980-49-0x0000000000880000-0x0000000000919000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing