urelas | 1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87

General

Target

1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
Size

326KB
MD5

401fb01cbf8ed63e4f454941bf64f360
SHA1

32a11b167faa03799ac791677f1d1a5e4207135a
SHA256

1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87
SHA512

1d1c7a8c3f4cc78a4b728758142478b02c3ca7d00213645ec90afa294328ee151b3ca038c344a17ca936dc8a248cf7c7ccf4895b082a54babeb90b277f05be25
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dufim.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	dufim.exe
4396	kifut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kifut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dufim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe
4396	kifut.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1796	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	87
PID 4200 wrote to memory of 1796	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	87
PID 4200 wrote to memory of 1796	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	87
PID 4200 wrote to memory of 3412	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	88
PID 4200 wrote to memory of 3412	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	88
PID 4200 wrote to memory of 3412	4200	1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe	88
PID 1796 wrote to memory of 4396	1796	dufim.exe	99
PID 1796 wrote to memory of 4396	1796	dufim.exe	99
PID 1796 wrote to memory of 4396	1796	dufim.exe	99

C:\Users\Admin\AppData\Local\Temp\1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe
"C:\Users\Admin\AppData\Local\Temp\1301fdffc4e827d8171204a141063a8a5a3f7339a2789dd5fdf5e1e7e0b40c87N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\AppData\Local\Temp\dufim.exe
  "C:\Users\Admin\AppData\Local\Temp\dufim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\kifut.exe
    "C:\Users\Admin\AppData\Local\Temp\kifut.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
fede352765fcde66f60f79f42964f276

SHA1
7bd92914c97a5f6b5bf775d3969a4de6a3c6bac7

SHA256
792936da87016727248489d129c9f9b9b502819e65d12df9854e2dea5c706f91

SHA512
3155658751bd7ed1a2f040c5a5c64ec968b12b32b87622f16f4a9276ff0fd65be7ca1c01ea3e7339c46b4c83d0cb25fa71742be80ec65c3b66c84446bb75fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dufim.exe

Filesize
326KB

MD5
5278607c8094af2ff2704944fd263ad1

SHA1
b025678a568e091eb717c0863d9c4e9e18467e87

SHA256
d132ca94c2b3593e4bb33288ad3d2761b8433fc4c66beefe58535cd537ff0a01

SHA512
59af61551f3f7cb3a45b39cc68c5ac9206c5e5a8c87f8b3a99de025dd51d4d65487f4d4ecf68116ceb399451151e6d61480c3de280d921bf4ba6090873340870

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
456369302232be4f1c0b45c4daefd0a4

SHA1
e8877fe5c316ecf97b614676ebe38339b5400a55

SHA256
aa87e709761f44c939391684ae1795c873591ebd4ed9e69ffda616999cb51eb5

SHA512
39670b470569ce9fd4a724a4557f97337edcd889ff66cc68c49025d77ed0d5d04daf9c29c634afc819beea7d09291dc16ea183f3cf761c4fd5a3a9a7fe52f3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kifut.exe

Filesize
172KB

MD5
03c09eead929909f097bdc5728bb9e04

SHA1
789d43476ba020e0d23be60b4371093aff8fd2b0

SHA256
1aca1f40cde493aa888508b8c03f0357572f30ffcdd1a7d12fe9078d06c00e52

SHA512
11a74ba72e7b5adbb5bff80e5af0262f9a2a9bd47cdc23449efe4f9e26e6a5a3b3c0293570955c98ccea436c2e452b1a43164ec516fa2342b7ba3329c5713838

Download Submit
memory/1796-20-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/1796-13-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/1796-14-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1796-40-0x0000000000A50000-0x0000000000AD1000-memory.dmp

Filesize
516KB

Download
memory/4200-17-0x0000000000040000-0x00000000000C1000-memory.dmp

Filesize
516KB

Download
memory/4200-0-0x0000000000040000-0x00000000000C1000-memory.dmp

Filesize
516KB

Download
memory/4200-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4396-38-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/4396-37-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/4396-41-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/4396-45-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/4396-46-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download
memory/4396-47-0x0000000000FA0000-0x0000000001039000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing