urelas | 699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c

General

Target

7Y18r(156).exe
Size

338KB
MD5

4b618ee7eb34d9776481ce7809bf23c0
SHA1

50be72c1861ba577f12872fe5f068a674afe91c3
SHA256

699128c70cc5be077b4dfa9b30776b3f7735fa678da85284c671c5654c94609c
SHA512

58ef134e82912754e09775b9ebdb99828cf81fc8a432e3f20e015e0ed4ad98fcf6fbca9127fe0a6b64099868e4ca1785a6d8c47d7ac853081e4392b800911110
SSDEEP

6144:i5tYTzqklVw910CIWrC9foCChVN6XCLWk6aMWgziMV1AXj16NYuLDuUcOibi5EB9:iUPTCBC9A/VIXCCkMWguMcj0vbd5E0/O

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7Y18r(156).exefesah.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	7Y18r(156).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	fesah.exe

Executes dropped EXE 2 IoCs

Processes:

fesah.exezuwyt.exe

pid process

3268 fesah.exe
3404 zuwyt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3268	fesah.exe
3404	zuwyt.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exezuwyt.exe7Y18r(156).exefesah.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuwyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7Y18r(156).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fesah.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zuwyt.exe

pid	process
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe
3404	zuwyt.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7Y18r(156).exefesah.exe

description	pid	process	target process
PID 3848 wrote to memory of 3268	3848	7Y18r(156).exe	fesah.exe
PID 3848 wrote to memory of 3268	3848	7Y18r(156).exe	fesah.exe
PID 3848 wrote to memory of 3268	3848	7Y18r(156).exe	fesah.exe
PID 3848 wrote to memory of 2592	3848	7Y18r(156).exe	cmd.exe
PID 3848 wrote to memory of 2592	3848	7Y18r(156).exe	cmd.exe
PID 3848 wrote to memory of 2592	3848	7Y18r(156).exe	cmd.exe
PID 3268 wrote to memory of 3404	3268	fesah.exe	zuwyt.exe
PID 3268 wrote to memory of 3404	3268	fesah.exe	zuwyt.exe
PID 3268 wrote to memory of 3404	3268	fesah.exe	zuwyt.exe

C:\Users\Admin\AppData\Local\Temp\7Y18r(156).exe
"C:\Users\Admin\AppData\Local\Temp\7Y18r(156).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\fesah.exe
"C:\Users\Admin\AppData\Local\Temp\fesah.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\zuwyt.exe
"C:\Users\Admin\AppData\Local\Temp\zuwyt.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
232B

MD5
716833cbed19737c347390925805646a

SHA1
33c484ea81bf925b7e82584250c7b8c3e26f9fdc

SHA256
3c6dfe17a6e2e31714c57b6d6e29df61765c70f6711e01eed296e05ea21bd839

SHA512
dfcb304107a63525e294b0c9440eef0f1e21cc7e4f1108f5d0455906ee7f3364959b22c72e4c02de52909924cbd23715e12b3d78ac0ebbce88c07c2d0b1e6246

Download Submit
C:\Users\Admin\AppData\Local\Temp\fesah.exe

Filesize
338KB

MD5
ab3f142f386eba9c7409f5f0f4dd3ee5

SHA1
fe2bd12238bb919ebbe38e5afe27baa448de14c0

SHA256
126a332e00e35112101064dc1711d374e023d9a1127eabb68025d158b73d8f4c

SHA512
207b865d0d835e61e9cb976121cc8b2555e29c93ee41e72e2ab36ded7cdcea9a75f81a34cece0c881ce05fe6daa988132e56c148a7554bfcc4d80532ad2e32c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c5acb6df4a6de722df2fb7ef30cc1a47

SHA1
9b01866558504a109c4633dffd802fdaa1c444de

SHA256
9bc6098c19f0321b2345951a9af80cc3bd72f129abaaa1ba7d0ada3354e00c19

SHA512
34364d72fa5eb230378e242e2f021b6fad89cf1a1ea70b5ad345e29808a67fe067a9f70dcdc928824de22458cc7756eaae38dc8b53d35ad9e25ae19c0f675a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuwyt.exe

Filesize
226KB

MD5
ab825a5daf4b4452a4b0d3e2ba680a5c

SHA1
dc5f1f7f2c61e1f59a0a002917cb30374cfb357d

SHA256
ebd51bdcf1b5178ab45f5ea997fee73ad4aef6fad2630d1a317bde3be0b8828f

SHA512
f4f0032be08180f61bcb9ec86367e2d70a3d6b1c6dd5a5845d2408bcd99858336b5c872a9a0e9c2a865e6e88419da4c0f6f5dbc518e154c86dce98c655e4a8cb

Download Submit
memory/3268-20-0x0000000000C20000-0x0000000000CA7000-memory.dmp

Filesize
540KB

Download
memory/3268-37-0x0000000000C20000-0x0000000000CA7000-memory.dmp

Filesize
540KB

Download
memory/3268-14-0x0000000000C20000-0x0000000000CA7000-memory.dmp

Filesize
540KB

Download
memory/3268-15-0x0000000000CA6000-0x0000000000CA7000-memory.dmp

Filesize
4KB

Download
memory/3404-42-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3404-39-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3404-38-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3404-41-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3404-43-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3404-44-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3404-45-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3404-46-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3848-1-0x0000000000906000-0x0000000000907000-memory.dmp

Filesize
4KB

Download
memory/3848-0-0x0000000000880000-0x0000000000907000-memory.dmp

Filesize
540KB

Download
memory/3848-17-0x0000000000880000-0x0000000000907000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads