urelas | cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098c

General

Target

cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
Size

592KB
MD5

ede527e53c6cc312aaa1a1737452c520
SHA1

accd4d8966a21cabde31941b3fe6d71f62d3a745
SHA256

cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098c
SHA512

16301ec885cc2353451c15d6b8f86d0e8cb5445c7deedc1a62e4ed2c36be92aaa5e6f94d406f39dc6312999f5b020b34e4f0faff3840474b0be617178af1b799
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZR0:C4jm0Sat7Az/gZvTIq2WKkw0Fe

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	xopui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe

Executes dropped EXE 2 IoCs

pid	Process
740	xopui.exe
2268	fuqil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuqil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xopui.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe
2268	fuqil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 740	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	88
PID 3708 wrote to memory of 740	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	88
PID 3708 wrote to memory of 740	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	88
PID 3708 wrote to memory of 2308	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	89
PID 3708 wrote to memory of 2308	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	89
PID 3708 wrote to memory of 2308	3708	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	89
PID 740 wrote to memory of 2268	740	xopui.exe	106
PID 740 wrote to memory of 2268	740	xopui.exe	106
PID 740 wrote to memory of 2268	740	xopui.exe	106

C:\Users\Admin\AppData\Local\Temp\cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
"C:\Users\Admin\AppData\Local\Temp\cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\xopui.exe
  "C:\Users\Admin\AppData\Local\Temp\xopui.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\fuqil.exe
    "C:\Users\Admin\AppData\Local\Temp\fuqil.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0a24be36d4272a2da52e0b5d618e5682

SHA1
a0679ad9cfd00754381182d344b0a09af00a225a

SHA256
9a92ff8d26de32da382c514c68acc982d5ac67ae53e026d15664e36bb97de129

SHA512
75e22d7d1268191335ca4b6f61843fd9c99a4f16173bb407860f546cd6cd6b1672555725f8a372c3cf77e4b91b6c69ba0b429ae589788a99b2a2ec0e7d9de460

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuqil.exe

Filesize
323KB

MD5
b365569ffc9ee1bc13ad577ecfe4691f

SHA1
d2343b59798d2aa6599660c78dffc1ff2bb83497

SHA256
eb7ecd384382a24ebe3ed80b10ad8b178f7c5df6d559bad8634d004ae66d20e7

SHA512
6aaeabdd915f7dc87b01132d36f09b190102bddeedb9a68c0bed3a62216d9efe967d8a8e3a4410170377cc1d6918d55e52ca71ed51cb44931817b3fcd6f6a368

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a95bef2f0474ac3ce1862c01f3c196ec

SHA1
ab34714f53287e4039ebd8f10fc49bb1eb651ef4

SHA256
63af98dfd8b48a0529a406fe46babbe966e407d9c4e5e5588f6e48dc1ba2daf8

SHA512
4d29f110c0d5b59d311496e35938db2de93e0b7697e7d9de3d88a0388fac0d7bf44b83b704a36b92eec87b0e1a6cb0a2d05a71afc08d3c55c7f7eac282c0e2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xopui.exe

Filesize
592KB

MD5
866fcc8a68362e53b7c3008de8dcceba

SHA1
783de6231133d67cc8bf4d05d80bd444e199359a

SHA256
2d01ee66ecdef9fec51bb1c61b75eb18f5254b8508b7bef0a1bb7d4c9552b014

SHA512
7eb9520ff93aca42188fe4aac9a72829383022115309600110b08465d118c054259668330613f21616626e06ca7af8f0a7dffe1b846ee474f67f6369f52c6c03

Download Submit
memory/740-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2268-24-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2268-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2268-27-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2268-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3708-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing