urelas | 419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516

General

Target

419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
Size

629KB
MD5

65bcc6d98ef06f7a05fa1e6071bd4b7c
SHA1

4c9886823fd7909cb9e4bc4f1fec0a7727333613
SHA256

419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516
SHA512

091cbdd872abad97c056fe26b2787ea130ad98d3a2a10319587ab15c1ff0107b84065cf557e9a5642132b4192b83c3c8c45b3234e589386e6f7d9a78a0a4f6bc
SSDEEP

6144:hmbmLppYOuakY1q5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupe10L:hma6id1Q8zzkGHVqoq/gI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	mulyr.exe
1812	vofum.exe

Loads dropped DLL 3 IoCs

pid	Process
2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
3052	mulyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vofum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mulyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe
1812	vofum.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3052	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	30
PID 2068 wrote to memory of 3052	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	30
PID 2068 wrote to memory of 3052	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	30
PID 2068 wrote to memory of 3052	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	30
PID 2068 wrote to memory of 2116	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	31
PID 2068 wrote to memory of 2116	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	31
PID 2068 wrote to memory of 2116	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	31
PID 2068 wrote to memory of 2116	2068	419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe	31
PID 3052 wrote to memory of 1812	3052	mulyr.exe	34
PID 3052 wrote to memory of 1812	3052	mulyr.exe	34
PID 3052 wrote to memory of 1812	3052	mulyr.exe	34
PID 3052 wrote to memory of 1812	3052	mulyr.exe	34

C:\Users\Admin\AppData\Local\Temp\419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe
"C:\Users\Admin\AppData\Local\Temp\419f3b0e21c8d6841702e28dfdda3526f547219ffb39f9a3e5b7d56d0ce20516.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\mulyr.exe
  "C:\Users\Admin\AppData\Local\Temp\mulyr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\vofum.exe
    "C:\Users\Admin\AppData\Local\Temp\vofum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
90ecf04d76a514f09e375302d375342e

SHA1
aad04c4559360c6e7264268c75601ff1a11e9a13

SHA256
d30dbb60eabe6a7995ece1c84b231146bee35bf630efd75368c4b4324dea9f3a

SHA512
fe54a57e4cad4eb33af351c10ad3b416df41c8ece60ea47d84933599a285569bed19eff0610eb02813e2eadd8e1528afbda6e207948f19443f48513a504a7062

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b5c062bfefec82d8dcefd73d18b501b1

SHA1
c658b6b2d8037d10d004803742915c919b8d68ab

SHA256
0662ac8856fa1c93323cb1b7be66bf63547ffcdad3f9f521f74b427b09ea4482

SHA512
2198fcaa145228d928ce54f0f711b0349cf0c65b0f6adc7f541811a95832ca7095cee41847491a95899c18d0e5c4d662f82f5211734793ffd73d5f273eabf677

Download Submit
C:\Users\Admin\AppData\Local\Temp\mulyr.exe

Filesize
629KB

MD5
fef3f568fc1a6367b9745cd6013f83dc

SHA1
2188764af98565f830c841202642aafe8af52452

SHA256
03ef4e8c62f295fe171cdac996bd845b6717edf9c6952040879f325fd750feeb

SHA512
1dd5992ff062094dcf7b0a80b18345f00f58a3b78ff7b648ccbbc72e94aa411a66e58b848193ba38d38e04f846c241cd1433d68a0527e414ad22acc9649064cc

Download Submit
\Users\Admin\AppData\Local\Temp\vofum.exe

Filesize
203KB

MD5
e3b4223303e05709d22ed687f41942ca

SHA1
0ae714b03eec45dc1b6a3168cb9131661b0b3cac

SHA256
5003f850252381fe65474c84b9c7263ef5b4f1ab9cd016429f6c92688dcda2ec

SHA512
2bbfb9dd21c61042292af76d80d8d04f4ec6202d77b3a7410a6a4d3a8a658eeaddb04d5784985ea4ac91aa5b684646e0dc3a1a8999fa7512cce303ce817306ba

Download Submit
memory/1812-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1812-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1812-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1812-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2068-0-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/2068-12-0x0000000002650000-0x00000000026EC000-memory.dmp

Filesize
624KB

Download
memory/2068-19-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/3052-21-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/3052-32-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download
memory/3052-29-0x0000000003430000-0x00000000034CF000-memory.dmp

Filesize
636KB

Download
memory/3052-24-0x0000000000400000-0x000000000049BADB-memory.dmp

Filesize
622KB

Download

Analysis

Sharing