urelas | 57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2

General

Target

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Size

330KB
MD5

8ed8fe4236bd3275ca6fb53ea7adeef0
SHA1

af97463ad45ec8f778be83b82909e222c0076265
SHA256

57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2
SHA512

9e0992b9ae3b18ce3e0daabf36b6e92dc56156ecc291a5c1eafa16b47e60fe99b4766829b45dfe99cfac2fb2fce35507ee8bcea5610db7220428c98328874a20
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	luavm.exe

Executes dropped EXE 2 IoCs

pid	Process
1976	luavm.exe
3568	gavyv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gavyv.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe
3568	gavyv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1976	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 2236 wrote to memory of 1976	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 2236 wrote to memory of 1976	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	87
PID 2236 wrote to memory of 3632	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	88
PID 2236 wrote to memory of 3632	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	88
PID 2236 wrote to memory of 3632	2236	57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe	88
PID 1976 wrote to memory of 3568	1976	luavm.exe	110
PID 1976 wrote to memory of 3568	1976	luavm.exe	110
PID 1976 wrote to memory of 3568	1976	luavm.exe	110

C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe
"C:\Users\Admin\AppData\Local\Temp\57f4a5d8b7082f2cf04b6abc9776a835ec40ebb3391ef7a3bfedbdfebec847d2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\luavm.exe
  "C:\Users\Admin\AppData\Local\Temp\luavm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\gavyv.exe
    "C:\Users\Admin\AppData\Local\Temp\gavyv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6e8d954fb1dddba6478e87ba0e58a3b0

SHA1
e7093781d87eca308159a1d1bbd32fe190fc967a

SHA256
4caa108699460495771fe7f2890e821a4fd25a7bd18072f13b57ee25fccf7a5e

SHA512
09ec249e5465ef9c9c89d9a67fbdaa1ed3aa96da2e947262f5ba95cbba7f9b70afec9bcea5a406727d3df6f9a489dcaf10cc89d6c2dc065a04dd59f645654cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gavyv.exe

Filesize
172KB

MD5
134b53b91a448425c97b5bf1edf8667e

SHA1
206079d209d6e9f926727a96ef1a31ef70405614

SHA256
16976ee51b7dbc6a6cff97f3fff35e783f5e5af618fff078ba8c4386cc20e280

SHA512
4e39043181238befd39cbc74cd0dbef0afb079e4c61311e85ff4e689cce35d170b48b3e3d2832e59a36a027034ab59ac5063f5d8962198cfbfdb15b7830e0f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6f36c3e23b00b6d08aa90d3d6f7ee4c5

SHA1
87e4101441ea1951847063c302683e2c95d306cb

SHA256
0290d22bbe34a319b941e3c7707832e21fa51e793157754c64e8e86940044903

SHA512
460231c7636b42208b1d15b1354dca03c2330e6852f090a2d879c355bf5c0f24a7aa7031b8f649ed02e83e4172d81035e3ef57376aa8c3eceb0fcfc03bd34281

Download Submit
C:\Users\Admin\AppData\Local\Temp\luavm.exe

Filesize
330KB

MD5
c1e95cfa5efb96e9dd48d7f2af6b7da7

SHA1
c1f66adacc14de123e5eeed5667750d58cbd402e

SHA256
f4fc8dea7f1606b2708cc217d857330ac9c5e8ec133c50a64bd8bbd3a0d96e47

SHA512
00716421ef481b83a94a017790f01b8179edddf3f8f147e83c171d949f910bd9bba29ce10b9ca4926456e8dcd573a03daf5f07f5d46a924ec6e2b53890e9bcd1

Download Submit
memory/1976-40-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1976-11-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1976-14-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1976-20-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/2236-17-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/2236-1-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x00000000005F0000-0x0000000000671000-memory.dmp

Filesize
516KB

Download
memory/3568-37-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/3568-41-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/3568-38-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/3568-46-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/3568-45-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/3568-47-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing