urelas | f2ca2511b414dfdddd8aaf75a968acb77edcdcde4ec9cbbcd026de737ef173bd

General

Target

59c49c0b0b8c653cc95a856a558ae0a0N.exe
Size

53KB
MD5

59c49c0b0b8c653cc95a856a558ae0a0
SHA1

795e4ce91db3be9db49e562a7b62a11a711e208c
SHA256

f2ca2511b414dfdddd8aaf75a968acb77edcdcde4ec9cbbcd026de737ef173bd
SHA512

605194f36f6112f371df738e26dd512364ace472e8b5be4dc55a8a9adbefdcd963d7e60d6fce8769358704a5908145ac24938c6571f1930bd0e184229c75c91e
SSDEEP

1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ifw:JnBGPUMQwBDamb3a7iY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2780 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1096 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

59c49c0b0b8c653cc95a856a558ae0a0N.exe

pid process

1780 59c49c0b0b8c653cc95a856a558ae0a0N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2780	cmd.exe

pid	process
1096	biudfw.exe

pid	process
1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

59c49c0b0b8c653cc95a856a558ae0a0N.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59c49c0b0b8c653cc95a856a558ae0a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

59c49c0b0b8c653cc95a856a558ae0a0N.exe

description	pid	process	target process
PID 1780 wrote to memory of 1096	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	biudfw.exe
PID 1780 wrote to memory of 1096	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	biudfw.exe
PID 1780 wrote to memory of 1096	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	biudfw.exe
PID 1780 wrote to memory of 1096	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	biudfw.exe
PID 1780 wrote to memory of 2780	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	cmd.exe
PID 1780 wrote to memory of 2780	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	cmd.exe
PID 1780 wrote to memory of 2780	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	cmd.exe
PID 1780 wrote to memory of 2780	1780	59c49c0b0b8c653cc95a856a558ae0a0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\59c49c0b0b8c653cc95a856a558ae0a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
dc3b7247571d901221119c4a9a1e0b6e

SHA1
ed0d64d767b68c42edf7cb7105465e4b4e6bd289

SHA256
9ee625b0f3bc3f677e0fae141a42d8fb3db34bd4797f9f77d2d0e4b9cba3de35

SHA512
052bc92cca76501b448962caae62833a49202d331e889b48696b185ac2dd3b1f4c72da7269574927e2cb41960b3f8f14ac1fba9112dcc98191990f8d0d7fb0f7

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
53KB

MD5
bcf61b83a671c1af4562fdec80798176

SHA1
c912469b88e43c9f6ae3c050ccc159244db76c7a

SHA256
1650b682791440006403ce3f10fa6cf2ddb87b6dd4c12ffa813069dc192a51d4

SHA512
3954942ea65a6cc1c0395796e54959b35644798c8ff7d981a1e0fe6e255ca78e12f40b102c5179cfeed54fe9a675b99176413af379561a14127f916a52488288

Download Submit
memory/1096-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1096-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1096-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1096-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-16-0x0000000002CE0000-0x0000000002D08000-memory.dmp

Filesize
160KB

Download
memory/1780-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing