urelas | 249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a

General

Target

249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
Size

338KB
MD5

8fb501ac698176feeaad15399c91510a
SHA1

9a014a3714a46134c2fd5671d2aea4a673a793b3
SHA256

249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a
SHA512

1c0b3ccf41d2c39b8fb354379cf3fe00c652a1f79dd7bdaa563862d06a879ca66fbfe4334bf7c6ea5b4458f9b5f43068ddd7f096e9c1f7dc326a4e66c6017432
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKogA:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	cuiqe.exe
2760	hohul.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
2940	cuiqe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuiqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hohul.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe
2760	hohul.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2940	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	30
PID 3064 wrote to memory of 2940	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	30
PID 3064 wrote to memory of 2940	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	30
PID 3064 wrote to memory of 2940	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	30
PID 3064 wrote to memory of 2696	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	31
PID 3064 wrote to memory of 2696	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	31
PID 3064 wrote to memory of 2696	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	31
PID 3064 wrote to memory of 2696	3064	249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe	31
PID 2940 wrote to memory of 2760	2940	cuiqe.exe	34
PID 2940 wrote to memory of 2760	2940	cuiqe.exe	34
PID 2940 wrote to memory of 2760	2940	cuiqe.exe	34
PID 2940 wrote to memory of 2760	2940	cuiqe.exe	34

C:\Users\Admin\AppData\Local\Temp\249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe
"C:\Users\Admin\AppData\Local\Temp\249cc26c7543eedd6b8ae8e55392de46208a94877903a49f2cdccf5f667e910a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\cuiqe.exe
  "C:\Users\Admin\AppData\Local\Temp\cuiqe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\hohul.exe
    "C:\Users\Admin\AppData\Local\Temp\hohul.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
67519008b2bb6235a76f364f6e7e5356

SHA1
2099c9a9938a5f36b57de23c20871dac8e9d7139

SHA256
a3fac6cfb9773b7a17bdf4bf3a010d840ab495681df5dd7bef30a6288cab331e

SHA512
07592b54f71e2d8a4e31b0c7041a27a6acc29cbb3d35f43220eb08abd1dfcd05c2e8ca8f207ccce0970eb03c3cfff20740105af4458b8d7f8a8fde6d2979bf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c52522e2bfdd3ca4dee6387abe773ca2

SHA1
9b5a4432e80d374a442e6b44cde5ad9e8035c842

SHA256
1c93eb3520f41a2d1c636c290564b76cb81fa31545a5cba001cbadf1bfb1d34f

SHA512
767449be341aabf453e91f30a0df1d291456c792b4ad7261ea2a0c938cb1ff4818a0448f7ffd72c0846e0b55f15c9fe37482c17b728e8af45355dfb746fe4ce6

Download Submit
\Users\Admin\AppData\Local\Temp\cuiqe.exe

Filesize
338KB

MD5
d20cf62c9a7ed0fd7350661bef51635c

SHA1
25432cd27e63afb0e977a224a1dd66df81199f90

SHA256
ebbe2365497d19b4ea349cd05447854f090b5b3e5eec18134747f4d0c176e570

SHA512
78b3194581e365b7e22d81fa6fb01cadd1efdab913059ba8549ffaf1362da7e049ea63b8214d134b38beb884a2c1471b31f31ac4c3218af35e7883143fccd46c

Download Submit
\Users\Admin\AppData\Local\Temp\hohul.exe

Filesize
172KB

MD5
8df7c58643e51917433690172554f87f

SHA1
e002352737e9dcc246b34cc422005db90fbe9d67

SHA256
fc371352be405ebf0cce414cb1e786332845f3932eb8f61ba3b5d03e25380cf4

SHA512
71d9d2648a2e5ae74df03bc52edf7528b2d03c083dcf9e6fbfe19db615bda33639a96ee658914f4dd87e55b5a582aa60a57078820ef191a064f53d51e04feb3e

Download Submit
memory/2760-48-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2760-47-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2760-42-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2760-45-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2940-41-0x00000000010B0000-0x0000000001131000-memory.dmp

Filesize
516KB

Download
memory/2940-24-0x00000000010B0000-0x0000000001131000-memory.dmp

Filesize
516KB

Download
memory/2940-38-0x0000000002E70000-0x0000000002F09000-memory.dmp

Filesize
612KB

Download
memory/2940-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2940-11-0x00000000010B0000-0x0000000001131000-memory.dmp

Filesize
516KB

Download
memory/3064-21-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/3064-0-0x0000000000A90000-0x0000000000B11000-memory.dmp

Filesize
516KB

Download
memory/3064-9-0x0000000002790000-0x0000000002811000-memory.dmp

Filesize
516KB

Download
memory/3064-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing