urelas | 79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4

General

Target

79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe
Size

338KB
MD5

7730300521b224a4da2d229a23ee29be
SHA1

62658aa96fe03c486e556f494b45b3a99fa81df0
SHA256

79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4
SHA512

6dcbcffef2db950e9bfc272aca494a1279486d00bed0d754c28514ad86cdadbb3629dd28c50e8777d9594d0b5f4dc889cc3a9338192ceaf8ac09e5e8f240db4a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo5pF:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	usvod.exe
2800	baipy.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe
2660	usvod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usvod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baipy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe
2800	baipy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2660	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	31
PID 2736 wrote to memory of 2660	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	31
PID 2736 wrote to memory of 2660	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	31
PID 2736 wrote to memory of 2660	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	31
PID 2736 wrote to memory of 2728	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	32
PID 2736 wrote to memory of 2728	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	32
PID 2736 wrote to memory of 2728	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	32
PID 2736 wrote to memory of 2728	2736	79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe	32
PID 2660 wrote to memory of 2800	2660	usvod.exe	35
PID 2660 wrote to memory of 2800	2660	usvod.exe	35
PID 2660 wrote to memory of 2800	2660	usvod.exe	35
PID 2660 wrote to memory of 2800	2660	usvod.exe	35

C:\Users\Admin\AppData\Local\Temp\79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe
"C:\Users\Admin\AppData\Local\Temp\79f1b9a2adb8a4aff96e868172af10f853eab78e49b6fa1c34f27ff3e381e2d4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\usvod.exe
  "C:\Users\Admin\AppData\Local\Temp\usvod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\baipy.exe
    "C:\Users\Admin\AppData\Local\Temp\baipy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4bdc6497043a11b4c1ea9570b78fa632

SHA1
9670e689b4afea0d5a92ebac883220073c7a5770

SHA256
2bd6369057c86b400c5ecaefa4d6080b36fbcb29521ce01419931f34840d69c0

SHA512
cf82eefd80cbd9fa94aab54a32acc5813ac10607785b5d477d51dfccd3d93cc8bec90710108df0d6477a56ef1bb8911c564e0c2a404ea0f3ae717bc2cccdf36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
afd6a8d49fc15afad203f086efc8a483

SHA1
5c970435b3ed5bd2af09485b9c9e7c669be98b70

SHA256
90a4ec69d8f6b2412ec7966c4045f7a31a3f46cbc9f0be0cc299db0e63e75dee

SHA512
88fab5066e45b8128611c92dad83585c6aa3b048bd821668567e92c8dbcf9c249feec5918a88deaee608a14af15b3422c53f2ba861fe0dd4f76ecdd6d5164810

Download Submit
\Users\Admin\AppData\Local\Temp\baipy.exe

Filesize
172KB

MD5
1e124cb7d034d80de791276f46e72d28

SHA1
11a60797f66cd7c67ab9ad83484a8bbbcca07360

SHA256
3fc3312faa180a236f28016caa393a8c35901fcd6f461bb83272b62ae688a6b0

SHA512
3831b78115619a3c53e65b6600f1f7d9dfeecc0336a37209e65d107052609f29f02ff82654c1a6d82abcacddee38a06d35babd76a4bc41a5e78361b6d6d340c0

Download Submit
\Users\Admin\AppData\Local\Temp\usvod.exe

Filesize
338KB

MD5
ae448938dbb9ac587e0e223a2078a119

SHA1
a50dbf5b26cd77245cb10a2eb85592f9b0be56da

SHA256
e5e24da465bd6597bd65dea51c005e5e74bae1672a54a67832eac86357c4384b

SHA512
235138304732fcc0b672114b24f35a79367c24794cca4c6776d0a52c4f40eb77ce03ad419ff32fa8b8df33c684ecda2ad6d2ad0aa1ef1aaf110d8f9690b97d59

Download Submit
memory/2660-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2660-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2660-17-0x00000000013C0000-0x0000000001441000-memory.dmp

Filesize
516KB

Download
memory/2660-23-0x00000000013C0000-0x0000000001441000-memory.dmp

Filesize
516KB

Download
memory/2660-37-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2660-41-0x00000000013C0000-0x0000000001441000-memory.dmp

Filesize
516KB

Download
memory/2736-20-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2736-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2736-0-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2800-43-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/2800-42-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/2800-47-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/2800-48-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing