urelas | 2b26868cdea1e236721c55cf842cce7d4a0aec370543c6a819dda8ccb8570d43

General

Target

b8f788750bcdec10cdca7daa18c166f0N.exe
Size

324KB
MD5

b8f788750bcdec10cdca7daa18c166f0
SHA1

5ae561b0a5a5cdfa1aadb20f2355e718670c471c
SHA256

2b26868cdea1e236721c55cf842cce7d4a0aec370543c6a819dda8ccb8570d43
SHA512

7df0a5b99a15d111ef047eb455243d715cb3d987e1bf043ca7f4124cf2d4db558a2be7b5eecc27ee367b3b41d6942261bde9b80419de04d5b97d60a7a79f7d67
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYuA:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b8f788750bcdec10cdca7daa18c166f0N.exezirid.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	b8f788750bcdec10cdca7daa18c166f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	zirid.exe

Executes dropped EXE 2 IoCs

Processes:

zirid.exetuxyi.exe

pid process

2080 zirid.exe
1432 tuxyi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2080	zirid.exe
1432	tuxyi.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b8f788750bcdec10cdca7daa18c166f0N.exezirid.execmd.exetuxyi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8f788750bcdec10cdca7daa18c166f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zirid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuxyi.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

tuxyi.exe

pid	process
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe
1432	tuxyi.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b8f788750bcdec10cdca7daa18c166f0N.exezirid.exe

description	pid	process	target process
PID 2600 wrote to memory of 2080	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	zirid.exe
PID 2600 wrote to memory of 2080	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	zirid.exe
PID 2600 wrote to memory of 2080	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	zirid.exe
PID 2600 wrote to memory of 1040	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	cmd.exe
PID 2600 wrote to memory of 1040	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	cmd.exe
PID 2600 wrote to memory of 1040	2600	b8f788750bcdec10cdca7daa18c166f0N.exe	cmd.exe
PID 2080 wrote to memory of 1432	2080	zirid.exe	tuxyi.exe
PID 2080 wrote to memory of 1432	2080	zirid.exe	tuxyi.exe
PID 2080 wrote to memory of 1432	2080	zirid.exe	tuxyi.exe

C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\zirid.exe
"C:\Users\Admin\AppData\Local\Temp\zirid.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\tuxyi.exe
"C:\Users\Admin\AppData\Local\Temp\tuxyi.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
4bdf2c8288ae06e45710056749f1d337

SHA1
3b88947abd5b1fca78c668f647393a26f0307073

SHA256
11e92f37d446d4b84dc610d076e96f67471fa566245d5c0299084a8086b68e2a

SHA512
83f8aa91fabc6d745ae8d5efc621da8e951cf3cb5f7b1727ecdc72bcdd5b6d78d2f7c81495befaaaa6a3ecc416b4df6a0c0bcc98cbe5fee86155c51a6a082999

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9c3160dd18e8b83e8caefddffbb79ed5

SHA1
27e623dbeeab71b4b9fb41776ed1801f3528001a

SHA256
f6b87362a92883d13ac8990c11938277aa09d34a77ac720d85ba589701bc7506

SHA512
25608d13adf73633ea40f0c1ad13bb99fca75428d19aa47aab45b1105922496995c104b9dce54e53580e980a430f5371c0b0322b36902ddaa1d654730330cbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuxyi.exe

Filesize
172KB

MD5
fff2c0bbc1e5a1b7d3642abfced2e894

SHA1
63604a55e724783334cc21c33d3969aa9c8e58b5

SHA256
f997cb76fa67b167a41e42d8bf41202c563115a6cde2e21a5dedc7d92ecfc033

SHA512
c19cddf237014f0b4f31565fe2cf9b04e1218e279c9f83c5ab3a10da05f2d3c9ab7fab7250c68235d01f9707c2ec14ee5def6385d7a2a9045a5663ae4c0ec33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zirid.exe

Filesize
324KB

MD5
88d17865cd64642743993691b0981d96

SHA1
29adb5d43a8ccbdb13923b1b4995a8b472068f15

SHA256
3ff0de3e93d44c856db03571c07956e28a98b566c6b0b6d25b2ceb718726fd8a

SHA512
b5d3069e5a6eee3f3605fda26e7306337de2a7ddd2681acef0453560e2c5a5c77c8f51c72a1c34c450f2339ac3c31ede2c335eab952e0102bf91876d5d4d7124

Download Submit
memory/1432-40-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/1432-41-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1432-39-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1432-45-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/2080-12-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2080-11-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2080-20-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2080-38-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2600-17-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download
memory/2600-1-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2600-0-0x00000000004A0000-0x0000000000521000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads