urelas | 96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572

General

Target

96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
Size

330KB
MD5

3a68bb128a59328497ab1547eb478530
SHA1

8f7a15df1faeb57364891133ea4f8c2f60cc70ac
SHA256

96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572
SHA512

e541c19ea0d9ed197fdda2b5e6dd08bc3ac8464cce5bcfd09a20aecbada77d4ce77235c954fefcb7388ffc03d99e6ae458b33181991f321d24e9eee17379c083
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	zarot.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	zarot.exe
2372	ribun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ribun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zarot.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe
2372	ribun.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2308	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	88
PID 4000 wrote to memory of 2308	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	88
PID 4000 wrote to memory of 2308	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	88
PID 4000 wrote to memory of 1288	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	89
PID 4000 wrote to memory of 1288	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	89
PID 4000 wrote to memory of 1288	4000	96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe	89
PID 2308 wrote to memory of 2372	2308	zarot.exe	107
PID 2308 wrote to memory of 2372	2308	zarot.exe	107
PID 2308 wrote to memory of 2372	2308	zarot.exe	107

C:\Users\Admin\AppData\Local\Temp\96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe
"C:\Users\Admin\AppData\Local\Temp\96b8750dccde728e22e094fd5469c35a5ce4cab64e85a902858de86e3a443572N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\zarot.exe
  "C:\Users\Admin\AppData\Local\Temp\zarot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\ribun.exe
    "C:\Users\Admin\AppData\Local\Temp\ribun.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
1eb7fb2f6d51781cbb64618cfe44e24c

SHA1
27b0a5a7553cb041c7e778c52ba30eb9db303568

SHA256
05c50aeed3beeded204e96b1caee8f4689cba6b6bf95607a35b602ed30a4b3ea

SHA512
4889a3f74f464b471825c27f39b74294d2548c7eb08cfb841a44f04e2cd456953d2d6396bd6457bf246983c20b6865330a8f88bfcd97d4f79770e8189d8dae42

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9ee9cdf8002e874e505c22a7102445b3

SHA1
70a3e0550033a6a76ea9841d335108ae9884a7d9

SHA256
ba367eac916abede48d111c3681be1dd4e40fe46078be4ed53ea27c995bcb097

SHA512
aaf5d42760a60764167b399d10b4a500eacb30182edb2c1c3a8bb687abdee7bac3839f5cf9b25b336eae894456f0168e1c1c3ed5a8286b0ea64bd7be557a8dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ribun.exe

Filesize
172KB

MD5
2ce68d92038bbd81ecef4e7afbce48b5

SHA1
f8f6041aa88923a198e0eeab81e238377d709b4a

SHA256
6373ad6ec786d2f425152fa53785359fd2dcc1b57527873a11ffbb3b33a095bc

SHA512
0ae19dcf12fd43eeaeea0c37c4a1b16dbac4639761d24acdd7cd7c0e903c400d813e05d899904801e9edc9496d298e47fafc403993b41c0d543882fc90afb659

Download Submit
C:\Users\Admin\AppData\Local\Temp\zarot.exe

Filesize
331KB

MD5
d4666b584f1e397b5f76f80142b37dd2

SHA1
d036378f2ac50b52a932140af95d2a3dc16c82bf

SHA256
4ac2812d49a2a8aae3f8d9918be22317568624c1769b7c8b5f8de2c555d6dfa9

SHA512
b76e61327bb57d640ee22ce1d9a02acaa7b8e22cc206358fbf63767c19d730291b7fe472522e43d3c7dcc032614885a4c5d69662287dfc9e213a58776002ebdc

Download Submit
memory/2308-20-0x0000000000920000-0x00000000009A1000-memory.dmp

Filesize
516KB

Download
memory/2308-39-0x0000000000920000-0x00000000009A1000-memory.dmp

Filesize
516KB

Download
memory/2308-14-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2308-11-0x0000000000920000-0x00000000009A1000-memory.dmp

Filesize
516KB

Download
memory/2308-21-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2372-44-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2372-43-0x0000000000AB0000-0x0000000000B49000-memory.dmp

Filesize
612KB

Download
memory/2372-40-0x0000000000AB0000-0x0000000000B49000-memory.dmp

Filesize
612KB

Download
memory/2372-46-0x0000000000AB0000-0x0000000000B49000-memory.dmp

Filesize
612KB

Download
memory/2372-47-0x0000000000AB0000-0x0000000000B49000-memory.dmp

Filesize
612KB

Download
memory/4000-17-0x0000000000010000-0x0000000000091000-memory.dmp

Filesize
516KB

Download
memory/4000-1-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000000010000-0x0000000000091000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing