urelas | bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342

General

Target

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Size

332KB
MD5

a802406b8f20f3c1120794c61e6ea080
SHA1

1a6bebbfbe96c6a8dfb577f89032caa18413e6ed
SHA256

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342
SHA512

ff3617fa3ac161512fc3e13d75cc77542a5f0976a0d2583b336578e309c7c6fdb07f3c6f711410ad38e1fa8182dde94ca4490de70ec66937f114146c46631004
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVC:vHW138/iXWlK885rKlGSekcj66ciEC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezuhyt.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zuhyt.exe

Executes dropped EXE 2 IoCs

Processes:

zuhyt.execoevn.exe

pid	Process
4224	zuhyt.exe
4140	coevn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezuhyt.execmd.execoevn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuhyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coevn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

coevn.exe

pid	Process
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe
4140	coevn.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exezuhyt.exe

description	pid	Process	procid_target
PID 4244 wrote to memory of 4224	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 4244 wrote to memory of 4224	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 4244 wrote to memory of 4224	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	88
PID 4244 wrote to memory of 3152	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 4244 wrote to memory of 3152	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 4244 wrote to memory of 3152	4244	bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe	89
PID 4224 wrote to memory of 4140	4224	zuhyt.exe	104
PID 4224 wrote to memory of 4140	4224	zuhyt.exe	104
PID 4224 wrote to memory of 4140	4224	zuhyt.exe	104

C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe
"C:\Users\Admin\AppData\Local\Temp\bb304b10f102c0137f15ea0357f2d2f148814e1dfd99d68e28b00854f8a65342N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\zuhyt.exe
  "C:\Users\Admin\AppData\Local\Temp\zuhyt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\coevn.exe
    "C:\Users\Admin\AppData\Local\Temp\coevn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f97f8213a4f0d7fa17839b84e35f1359

SHA1
158608023d066718130cba51f540f9719d6e0d1c

SHA256
cb262acda89e1b82055d31a120fb3b36e8908cd6db0d135b1ca6193b0a0a68ed

SHA512
40d61ddd719878c163d3d19e3002dffa454401082bc502971e5c02c92d335a330d6c1f44f58907f4f0367b35cd20f4840c924497962c74e4df39544ac0fe578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\coevn.exe

Filesize
172KB

MD5
b45b9bf50e58003c28e6fdc9e4a56064

SHA1
0f2311889a3ff02698a0d6eed64123bcf96c5794

SHA256
d323ea2ea43dde71b6b1b95c85a6f570696b19693ae7fa7f4400ea62e265912c

SHA512
a06eb70406cd4f31ee8b75e980ba8c639bbefb16d7988d9e3fc90a578873c60e9aca77ef09109f0cd569046c9ddce6716a429428c39b8d3ec1bc5024b794999c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0c2ffe4a37f864447bfb768bc99390e8

SHA1
af24f6e45082233ddd9314daaa12253d90f6a021

SHA256
84fd4222bb80934645380b7a76e87ef7ad63333df3631e03fd0ec08910727fa2

SHA512
03572184c5279ac6a35f265097fa925e4d6671fa3b14134f1b91cf08fc407cfbe2712aaf68447795f70c3b6f31dd855eb0dd3f8321a0ee01ae0003a108c9d899

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuhyt.exe

Filesize
332KB

MD5
9b049537713e8474a7a1afc81a3d1421

SHA1
36105503cad41c547564a6fbfda70c626e74bbf9

SHA256
b544e7dc8c5ef8deb99f34b7a01fd78d980b7a6f41059a33c2010c50fa8aae02

SHA512
20bbd33182fa914a18011a860808df73fce9eb4132f8bd175aebed3bdb77de08e8d87ef088bdceb4bb5a2399979d223c92e3779dc6cc2ab7d1d32ac77d8a5d86

Download Submit
memory/4140-48-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4140-47-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4140-46-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4140-40-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4140-39-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4140-38-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/4224-11-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/4224-21-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4224-20-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/4224-44-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/4224-13-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4244-17-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/4244-0-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/4244-1-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads