urelas | b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04

General

Target

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
Size

326KB
MD5

dd9302be82e57d59ab5a6c4a424aa400
SHA1

df7211ed1d49b7cb0e1ea919137b83fc1ca944ab
SHA256

b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04
SHA512

aeb2261087939027844d5a488b7de6e3381e72dc7dceeaf27f07b8e2ce329535020245193a0ca5db091631cfded93b66786c546dba31fb0a46b09c2c93c14b01
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYf:vHW138/iXWlK885rKlGSekcj66cim

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	reafq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe

Executes dropped EXE 2 IoCs

pid	Process
532	reafq.exe
3404	alhec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reafq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alhec.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe
3404	alhec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 532	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	87
PID 3532 wrote to memory of 532	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	87
PID 3532 wrote to memory of 532	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	87
PID 3532 wrote to memory of 1148	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	88
PID 3532 wrote to memory of 1148	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	88
PID 3532 wrote to memory of 1148	3532	b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe	88
PID 532 wrote to memory of 3404	532	reafq.exe	108
PID 532 wrote to memory of 3404	532	reafq.exe	108
PID 532 wrote to memory of 3404	532	reafq.exe	108

C:\Users\Admin\AppData\Local\Temp\b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe
"C:\Users\Admin\AppData\Local\Temp\b8be927711a68a75e15d0e63484a566b3a2c873df09a85d4729c187d7806ae04N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\reafq.exe
  "C:\Users\Admin\AppData\Local\Temp\reafq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\alhec.exe
    "C:\Users\Admin\AppData\Local\Temp\alhec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
7c8d66b2784794a913ad2727b704332a

SHA1
8d9f1a0c80d7633d1a6e33a5f5a196380ee4be12

SHA256
47a9c39242233e306122c0f22b453d94e58c1741a6c7fa55b5163a1fd1d1248b

SHA512
98a52e357eac539a65185ffc07043ac4f00337fcdba34706f672a4542680934eb30c9b70d8e0c2fc2237bc96769ed96fffb4e0627b0bc603c68acd86e83feccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\alhec.exe

Filesize
172KB

MD5
aed0274ac8e1426390e8db8150750856

SHA1
1c062afdd48da30f5a2da6e8b024a1299ab39e5b

SHA256
171c8914157e5226695277e564d0b8f7d357969ea36223b34526e4ddb5d670f7

SHA512
352e1561a2165f278af0cb8faf25a829ec2161bc05a9c4bf307b513e06aeae74441106ac4cc74d82b0858808d4cee3ae6024ac4fb9dcab5e63d4883abfcb25e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ed3aa9727341a9cf6dd6047def9d9294

SHA1
f6f673c20e2d6126da9df366ca448801fd753abd

SHA256
fd92d976e3210c7845a3717afb7a5e940d413d65bb9328ef4dfc45807e441bcb

SHA512
f7a8ac38cada7a7529e9ce234f917c795e36515ea5810d56fc90f0e9f8ce3ba5d4fdf50886a2d21aefe90924c473bedfd4de9890ac3166359df5e478ef948066

Download Submit
C:\Users\Admin\AppData\Local\Temp\reafq.exe

Filesize
326KB

MD5
d89e36b1a53197995b1c4f8ecaff7e40

SHA1
600d0ae9a952c0b08c6ce7a4f288ed2eca2bce3d

SHA256
ef6fbaa88d27d33b6c175f251be188e6806b9cbe37ebb5664237b334bc227dcf

SHA512
34fa99d773f8280945b22e455632cc92515483df59ca41e5a9375238475646c2083bc68d029d8578f2c9f1fb33817c4c4fd5ae8d8c5bb1d202815a397cb8ecaa

Download Submit
memory/532-20-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/532-13-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/532-14-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/532-21-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/532-44-0x0000000000830000-0x00000000008B1000-memory.dmp

Filesize
516KB

Download
memory/3404-38-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/3404-42-0x0000000000910000-0x0000000000912000-memory.dmp

Filesize
8KB

Download
memory/3404-41-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/3404-46-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/3404-47-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/3532-17-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/3532-0-0x0000000000DF0000-0x0000000000E71000-memory.dmp

Filesize
516KB

Download
memory/3532-1-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing