urelas | fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716

General

Target

fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
Size

338KB
MD5

088084f12e63163e5382cc480bad2e93
SHA1

c39f9b08ae68f7470c0a98dedd253a11b5bdb67c
SHA256

fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716
SHA512

80d5c748b3d6bde042fd9b343b8aed1a5ad299701e4d8c3e336970bb56bf68e50ce65b7c601d7ce83ba1ce18d3721ae61f60b5b95bf08cffc14ea7714f25b247
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoJ8:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1308	ozbur.exe
1344	soaqx.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
1308	ozbur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozbur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soaqx.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe
1344	soaqx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1308	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	30
PID 2232 wrote to memory of 1308	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	30
PID 2232 wrote to memory of 1308	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	30
PID 2232 wrote to memory of 1308	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	30
PID 2232 wrote to memory of 2556	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	31
PID 2232 wrote to memory of 2556	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	31
PID 2232 wrote to memory of 2556	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	31
PID 2232 wrote to memory of 2556	2232	fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe	31
PID 1308 wrote to memory of 1344	1308	ozbur.exe	34
PID 1308 wrote to memory of 1344	1308	ozbur.exe	34
PID 1308 wrote to memory of 1344	1308	ozbur.exe	34
PID 1308 wrote to memory of 1344	1308	ozbur.exe	34

C:\Users\Admin\AppData\Local\Temp\fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe
"C:\Users\Admin\AppData\Local\Temp\fa67aaa1172b1c7bd4e59ad2f86d589649c61b3c46cc4b391e65629c2cad0716.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\ozbur.exe
  "C:\Users\Admin\AppData\Local\Temp\ozbur.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\soaqx.exe
    "C:\Users\Admin\AppData\Local\Temp\soaqx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e918133c5c5405da82c46289c28b9e4

SHA1
755628ad899d047c27fc2c6c8ff57c10e0c9b284

SHA256
a7080ac0fb811806b84bd13117007765850fdc2f9ab97ec9fe5a7aae07a92e92

SHA512
1fa4bbaba503a3fb314007e479abf9d30dd52a3635103f0fc829e550bee6510f34b82fe7fc6c0614d6ed02d5480f6f3246e17071843a898ceb867d2bb75bc506

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e3ef28ab1471a844d344f4b41c0c291b

SHA1
791e076dabfa5e84b277e50a55b65c17d9034fc2

SHA256
cfe133ef8441ea83323ccfc267cc004c031784a597f5fbe5b8907e5103f95783

SHA512
9acda95c9186d8e673910018104fe00de7ea6e10a82cb1ddf86e2e7be1a36da1e39592d2981392625db6a53f047a539f36476528c5ec8fe9d849ad340d1c256e

Download Submit
\Users\Admin\AppData\Local\Temp\ozbur.exe

Filesize
338KB

MD5
4f1088b7b0fa782eaaaac65b45974d1e

SHA1
9d1448fa1d6459e8cba00f65b7b952857da5dd4c

SHA256
fef1a5ac500ab91de601354d1530af8cc2b879067a88e298bf3d68260bd92cac

SHA512
d3cf5e0b82d252033ee60a58bfe48602f133b560de2a04add087d94e7342c70dd61f4f138681a7774a9f71adfa8e04c136398efd73811ded3b237f0629bf9ea0

Download Submit
\Users\Admin\AppData\Local\Temp\soaqx.exe

Filesize
172KB

MD5
299e0d8fcc75240bb57773f4d64a0295

SHA1
dcc1793da55fd5fac2d20e697e2eff27e09943ce

SHA256
f2e902882f74e55a0e2522bcc5f9e6ff4d4c4b23db4ae36d0031a5149432a96c

SHA512
a2062633738bd15b2c9ed11426956a66028c34418f7828cea9e344cb824ef5b0bfbc49ceb3d95127638abf7043189a8b962544cdb78fd8b146eea74a457f654b

Download Submit
memory/1308-21-0x00000000001A0000-0x0000000000221000-memory.dmp

Filesize
516KB

Download
memory/1308-40-0x00000000035F0000-0x0000000003689000-memory.dmp

Filesize
612KB

Download
memory/1308-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1308-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1308-25-0x00000000001A0000-0x0000000000221000-memory.dmp

Filesize
516KB

Download
memory/1308-42-0x00000000001A0000-0x0000000000221000-memory.dmp

Filesize
516KB

Download
memory/1344-49-0x0000000000300000-0x0000000000399000-memory.dmp

Filesize
612KB

Download
memory/1344-48-0x0000000000300000-0x0000000000399000-memory.dmp

Filesize
612KB

Download
memory/1344-44-0x0000000000300000-0x0000000000399000-memory.dmp

Filesize
612KB

Download
memory/1344-43-0x0000000000300000-0x0000000000399000-memory.dmp

Filesize
612KB

Download
memory/2232-19-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2232-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2232-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2232-16-0x00000000025B0000-0x0000000002631000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing