urelas | 2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804

General

Target

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
Size

331KB
MD5

84affb81f44aa2c83eb85713533b18c0
SHA1

e1127087f960860fc7343bf44e3af267ae2bfaaa
SHA256

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804
SHA512

053984cda524ed05bea35de15e362deab1f26875768c33e7cf9ce8b863318f01113e87354b597ab2848db93583e5b7a813c6dd86487c550a73930463aabd449c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66cic

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	jedet.exe

Executes dropped EXE 2 IoCs

pid	Process
3928	jedet.exe
1364	hucol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jedet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hucol.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe
1364	hucol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3928	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	89
PID 4592 wrote to memory of 3928	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	89
PID 4592 wrote to memory of 3928	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	89
PID 4592 wrote to memory of 4324	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	90
PID 4592 wrote to memory of 4324	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	90
PID 4592 wrote to memory of 4324	4592	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	90
PID 3928 wrote to memory of 1364	3928	jedet.exe	103
PID 3928 wrote to memory of 1364	3928	jedet.exe	103
PID 3928 wrote to memory of 1364	3928	jedet.exe	103

C:\Users\Admin\AppData\Local\Temp\2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
"C:\Users\Admin\AppData\Local\Temp\2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\jedet.exe
  "C:\Users\Admin\AppData\Local\Temp\jedet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\hucol.exe
    "C:\Users\Admin\AppData\Local\Temp\hucol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f24ded1a2bb52c6e9e786a1357714701

SHA1
af694bb8cb69e290fc5f342d62d290faf8833a9b

SHA256
c1b8be4bdf4d67408af727c55f8100d8f31f9483c6978103746ab6b77086333b

SHA512
95e86d451d3cfcb73a533186935b3b85a25b020861e4d3056de950faa9378576adc93775802db2177b6fdbb324f1e0ad8f337e7641505b91a24819feb17d918a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0c37b728f4f4ce7efb9e6269c8119ffa

SHA1
211fb7de66a1023febdb0841ea6e4999ff6a1b52

SHA256
9af8cc5a6ac6d3f307ac8d96f0c5fdcc4d2d5bef6014e4669f446b2708458331

SHA512
16468a3fe0fe26abf699457d365433e1f6174c501beedd38abba127645ba5656a4b2eb1d340c58998ab9b9a4fd8dba2887406415b7caf367fe30696c3476933d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hucol.exe

Filesize
172KB

MD5
b282aa3e4c09f6af2df1f683acaa21b9

SHA1
1cdec2c9ffbc2637f400eb0bf526241424e4aa0f

SHA256
3157b1ea06309d6ef65ffcfef6b09c864209ce04ec25fff417cd854ddcccc024

SHA512
b8a17232ee2737890bab2a295003654961daefd888a7cb3cfbf6e8ee3db790eecec0b875e76c27dd1e0be28bb4ac0528cc173663828edbeba73d23d4b1de099e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jedet.exe

Filesize
331KB

MD5
c7ce39efa7c2a73dbd293eec52104a93

SHA1
ac40885da33610b67ffe5d2849174c06b4294c39

SHA256
b7a8231fc4b9bb62218a6dd31c661a082cf597f1819a0be84ffa8e63283f70d8

SHA512
2e4d862d158d4a8d2fc826cc1125592e16e68f3dbd53403a13d361cc00578bae51caf8d10dee9b7d0f1d61ab6c45b1f6409f312844105e96ea432423fb8783c3

Download Submit
memory/1364-48-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1364-47-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1364-46-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/1364-42-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1364-38-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1364-39-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3928-11-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/3928-21-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3928-20-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/3928-41-0x0000000000FD0000-0x0000000001051000-memory.dmp

Filesize
516KB

Download
memory/3928-14-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4592-17-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/4592-0-0x0000000000650000-0x00000000006D1000-memory.dmp

Filesize
516KB

Download
memory/4592-1-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing