urelas | abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4f

General

Target

abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
Size

499KB
MD5

c1498744807f0a299dbb91bb33023760
SHA1

6ac36ff619b2c01bf689d54047fff4e47acdbd2d
SHA256

abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4f
SHA512

b81e5cef86d970056659021727990f85fa976fd64215174a8b4fc0348162d8ed727ba52d0a8981aadbaf3958b6ff518639c46b1a031f418cdeedba5da01dc043
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5U:PMUv2LAv9AQ1p4dKW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	fesyc.exe

Executes dropped EXE 2 IoCs

pid	Process
4984	fesyc.exe
3712	mopub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mopub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fesyc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe
3712	mopub.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4984	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	91
PID 800 wrote to memory of 4984	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	91
PID 800 wrote to memory of 4984	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	91
PID 800 wrote to memory of 1948	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	92
PID 800 wrote to memory of 1948	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	92
PID 800 wrote to memory of 1948	800	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	92
PID 4984 wrote to memory of 3712	4984	fesyc.exe	112
PID 4984 wrote to memory of 3712	4984	fesyc.exe	112
PID 4984 wrote to memory of 3712	4984	fesyc.exe	112

C:\Users\Admin\AppData\Local\Temp\abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
"C:\Users\Admin\AppData\Local\Temp\abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\fesyc.exe
  "C:\Users\Admin\AppData\Local\Temp\fesyc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\mopub.exe
    "C:\Users\Admin\AppData\Local\Temp\mopub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2907b35883f81cb335494649eabca267

SHA1
5327534c2fea9d67373de385b666c727ff1944ca

SHA256
d13d5390103a2ecd0e9b40e1fb9335e2dd5b69f14231055a706a7a823c7472d2

SHA512
c40e09b69b62f4b72d5c4b846c4331dfe9a5349839019e6a0ea5a2ef6f69bf19f074cc4812487ece38865c4c721c77ea249d007a275d555d61382472e97fac71

Download Submit
C:\Users\Admin\AppData\Local\Temp\fesyc.exe

Filesize
499KB

MD5
3b1ec9404831b81dbe88c8c202b3d11d

SHA1
63d71dbb31225fb58f042ffdaa02a19ac9d95d50

SHA256
2e30535f897370c05ef57fde91467cc412e54ef78be695a6dcff77cd837503b5

SHA512
6f57fe61f0c339ae5bfa47e20fa4959b92d06e922eba9583c56752d5071d9ca374d2cbc3b8d8af6f8520e4d75db67c29395799aeba2cd33317c29b03917175b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3189a11eb6f65b84e3e73c9f7f4d2a85

SHA1
3510e46dc1fc7fe7fa55cda34939732b88c6c761

SHA256
ef252cb868eb66f1ed65ead1fdaba9b23ae00341fffebcc846925f4bffd4da89

SHA512
55b752062d8f19638ab8238798d7dd9e4c487f9c5bb7a0fc63f66d895decadb81935c2e6533981672fb0e50e89d29d1b4122dbd0a62d786e8c4309e71c6eb9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mopub.exe

Filesize
172KB

MD5
0a052f413ce2389066a2b336da45cd4a

SHA1
3bc0d4f3f68a4615a6ab430ff102df43f0c3e78a

SHA256
446805fc7bbeda4076482dcf55ef7d90bfb9f0d31d0b6b7f7e966efff038945d

SHA512
359a7009962f4065c8a60e76dd7d9e7744f9ddc2600f2af0e190c07f27a889bd8001fd30fa683c0bf6b16bca7e7b40d0aff7cafdb7a1776c25e0ba809af8ff24

Download Submit
memory/800-0-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/800-14-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/3712-31-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/3712-25-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3712-27-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3712-33-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/3712-34-0x00000000002A0000-0x0000000000339000-memory.dmp

Filesize
612KB

Download
memory/4984-17-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download
memory/4984-12-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download
memory/4984-30-0x0000000000D20000-0x0000000000DA1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing