urelas | 4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8

General

Target

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
Size

399KB
MD5

d95620e95fc27136f7ed060ca4ddad5f
SHA1

495fe9777d72145a86e2ba49a6718a57e41cba39
SHA256

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8
SHA512

5603240c90411e55ec0afc2379a135d693effdbf2765983bfa12b82cd2006b07bf19694ad415db8211c8d9f4200146e0cafd88bcda0ccdaaa4085957552a5d01
SSDEEP

6144:1sa1jZVgy03se7k5kBTTg7YMz6j8GuHEqqtKKUrBwj3bT3RzV:rtVgyuse2kBXg7Cj81cKK7jfRV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exefuzyw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	fuzyw.exe

Executes dropped EXE 2 IoCs

Processes:

fuzyw.exeacnuk.exe

pid process

2940 fuzyw.exe
624 acnuk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2940	fuzyw.exe
624	acnuk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

acnuk.exe

pid	process
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe
624	acnuk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exefuzyw.exe

description	pid	process	target process
PID 436 wrote to memory of 2940	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	fuzyw.exe
PID 436 wrote to memory of 2940	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	fuzyw.exe
PID 436 wrote to memory of 2940	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	fuzyw.exe
PID 436 wrote to memory of 4404	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 436 wrote to memory of 4404	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 436 wrote to memory of 4404	436	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 2940 wrote to memory of 624	2940	fuzyw.exe	acnuk.exe
PID 2940 wrote to memory of 624	2940	fuzyw.exe	acnuk.exe
PID 2940 wrote to memory of 624	2940	fuzyw.exe	acnuk.exe

C:\Users\Admin\AppData\Local\Temp\4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
"C:\Users\Admin\AppData\Local\Temp\4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\fuzyw.exe
"C:\Users\Admin\AppData\Local\Temp\fuzyw.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\acnuk.exe
"C:\Users\Admin\AppData\Local\Temp\acnuk.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
e184f5b14ab81f71cacf25420cfcf4f5

SHA1
73584660a64fe1a8b33de78025aa205d801c6a9f

SHA256
776e2eb30664f339452de1a7a6b98dbf50a43137234bf4e59d4a4fcda9c11e35

SHA512
a33fd5f05577d5f0523d76068de03c9b0b7a700e2173b50f18cd1101c9abc36affabb9a7706fe9f561a0ec4107b85fac4cc6739b50738ba8502b2af0e683887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acnuk.exe
Filesize
206KB

MD5
b528ed191a02f80564f6bcf5aa13cfa5

SHA1
7f107148afa09fb85856fcf212268be83f1a90f5

SHA256
ee702e6bb3a8894633b476e36a1d2b9ab2babc4e05872e59df33ea19b48efb83

SHA512
a9a6e784bcaeac69da088d676b72e8901fa712c7dc60cc2e7f8c064bd3988b0c2e1beb7bd60719d1410cd923637d6a7a48f9f60f9896966fa450cc84ddcf8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuzyw.exe
Filesize
399KB

MD5
1af701d80f5d5669da38d0854228fdf4

SHA1
02eb8fd86ebb10058f49ef40cc159eeed872319a

SHA256
fcb504f3350ee14814a575397a25a133bccd5e9722c182fba9f3ba07753acca7

SHA512
0b72edf318106d3913a11d28804c3ee541705718f35a77ee4d89510ecff63a634988d0ca1cae1607a5db7c20b2f1c47b306d68864bba939984735be9c7f4953f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
11b2e8a5b710bbf42ba2e6ad775041ae

SHA1
5dcc991a90e3d0e2924bce43e94dd1f0872a5b82

SHA256
7adf9723dbf11a73219a1313ea857e0f9e6eb13ea428a80f70c7eb8f4a777247

SHA512
6ceb1088db533f7c4095c79a922ea54caa11a3c7a3d027243b06b89649fbf6c00745d639ea45dd0e02f6c7fe290c42e70c10048ca8f251ea3472fe4fc4b54fd4

Download Submit
memory/436-14-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/436-0-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/624-27-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/624-26-0x0000000000D0A000-0x0000000000D0B000-memory.dmp

Filesize
4KB

Download
memory/624-29-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/624-30-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/624-31-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/624-32-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/624-33-0x0000000000C70000-0x0000000000D0B000-memory.dmp

Filesize
620KB

Download
memory/2940-11-0x0000000000EC0000-0x0000000000F28000-memory.dmp

Filesize
416KB

Download
memory/2940-25-0x0000000000EC0000-0x0000000000F28000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads