urelas | 0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2b

General

Target

0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
Size

328KB
MD5

9f0430ad5afbdfc9393b309e8dcb4600
SHA1

8b267dd9c1942020c384001ac2d78b004a01a7a9
SHA256

0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2b
SHA512

7d2f152b90fae91c1d860843bca9c68adfbd22e90a49ae854d3be24489860941bec9aca5a865bd8731b391d48aee6cd56b391ffa3742c120fcc49760b60edece
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOx:vHW138/iXWlK885rKlGSekcj66ciO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sovoo.exe

Executes dropped EXE 2 IoCs

pid	Process
1236	sovoo.exe
1064	zofyc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zofyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sovoo.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe
1064	zofyc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1236	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	89
PID 2944 wrote to memory of 1236	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	89
PID 2944 wrote to memory of 1236	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	89
PID 2944 wrote to memory of 1584	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	90
PID 2944 wrote to memory of 1584	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	90
PID 2944 wrote to memory of 1584	2944	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	90
PID 1236 wrote to memory of 1064	1236	sovoo.exe	107
PID 1236 wrote to memory of 1064	1236	sovoo.exe	107
PID 1236 wrote to memory of 1064	1236	sovoo.exe	107

C:\Users\Admin\AppData\Local\Temp\0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
"C:\Users\Admin\AppData\Local\Temp\0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\sovoo.exe
  "C:\Users\Admin\AppData\Local\Temp\sovoo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\zofyc.exe
    "C:\Users\Admin\AppData\Local\Temp\zofyc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
91dbfb50cd89e689bda0178dea673ee7

SHA1
67c4021d0ae8deeff96b6047ab3b833a0a5800df

SHA256
0d06820b387f55d4c9d241849b19dcce3b10d4250f2f46b07e7284c8b5f5e5a1

SHA512
c8ff079a3cbf0de5a160559c011c43e839aa8f75770de527685318957808566a84f7f085792345945d577b8dd3e695c214b8f47554923a9141cc229d70e10edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55a93b12669cbe77321b9ffcc28fd4d7

SHA1
20d720a702af0321b301886ca5d951266f81cd03

SHA256
de1986ae30379ae555b4e525cd9970c7ff10fadb77225680e96fdcbe76b50169

SHA512
6277476d90a659dc1098e6ec95a85b43608ec9ac304998ff27fbd24993f922823fae99e63d737136b59fb51079e747169c314a4ce821146f77f3214a32a928ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sovoo.exe

Filesize
328KB

MD5
411503234ae4ca29f3133ff818bbd0a2

SHA1
a2af55b41e8e09c3328a2337d5cc47a9188358b9

SHA256
b222be95e0fddf1d1d61939ae99b8da5b7bff5fcedd262716010c6b3e92f328e

SHA512
4709d8061f8674ea406dc137f53a99993aaf91e0a407f230fe3e7eca69769761f074b30be53fd0bc156848450a373e00ebe128b02b82ec743862dc03c04d622b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zofyc.exe

Filesize
172KB

MD5
3371bc586c40d4c05f628c11c761a256

SHA1
c79151a0c19ccd1b191572440fcd0f25fea8be23

SHA256
ec67f9dcfffedc0fb99ad08b45231cfed9e724fa23a4cd5ec9d2423f4b57d8c1

SHA512
79f3219dcaee78cb0536a4694cd9278d2fb5eec627960b8227059cf1df439e8d50e219909849c794edc5b1ac7e55f9f950c893bbde69c0bbc717f52ee0f0fa86

Download Submit
memory/1064-47-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1064-45-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1064-46-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/1064-41-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1064-38-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1064-39-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/1236-21-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1236-40-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1236-20-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1236-12-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/1236-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2944-0-0x00000000006C0000-0x0000000000741000-memory.dmp

Filesize
516KB

Download
memory/2944-17-0x00000000006C0000-0x0000000000741000-memory.dmp

Filesize
516KB

Download
memory/2944-1-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing