urelas | 981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08

General

Target

981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe
Size

65KB
MD5

d4efc4695bd947d17434f865ecd6aa20
SHA1

3b9a2e78df4e4aaa8a7432885d1275536f6de4dc
SHA256

981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08
SHA512

5c92d570b6c13c294aa21102276df61548af04c4a174a24051e256647a25bb578037fad31256194d953789488a6a44932023fc13b5765f7a7b99d56b37aa6779
SSDEEP

1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTm/:6bQRSHpAvzyf7MzeTY

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2660	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	31
PID 2748 wrote to memory of 2660	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	31
PID 2748 wrote to memory of 2660	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	31
PID 2748 wrote to memory of 2660	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	31
PID 2748 wrote to memory of 2944	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	32
PID 2748 wrote to memory of 2944	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	32
PID 2748 wrote to memory of 2944	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	32
PID 2748 wrote to memory of 2944	2748	981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe	32

C:\Users\Admin\AppData\Local\Temp\981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe
"C:\Users\Admin\AppData\Local\Temp\981daf685ec04460f9f1a008ea3cfb2c8302a8c16814c39fba29a959d442cf08N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
efd90b3ac908d5482af367de3a82184a

SHA1
de9f01d2ed0247b7b347e55c5a09721a60147fb9

SHA256
44f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d

SHA512
6e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
63bb09c8c15f8ea5ca3baab35d1b0848

SHA1
8da9455e2074aafb7dcdfd536a0a0fa3cff8f0dc

SHA256
e51b3a880968dde7ad6171b0395c1ad02e1033d14719e19d79159cf5f789163e

SHA512
78cf8c706833ec5c903675b01e5b2bc4d945d24195b248c5c01f9f0d08045f71214c33a73aa7b770291ff33580400c5c9e3fff11585b823faa43282a46c84148

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
65KB

MD5
bed3677a247e6b58d158eb48ddfaf349

SHA1
a8596c4b535d35682b8d16566199f288d0e1de29

SHA256
f3d4d82addcb01cb0e3d5c19aa5579a87f2bc3ea3addde1730f95578de1a0258

SHA512
a79e73ad194dc6f9388faa1e9f7b9d2f15eb3dfb5c921ed42b1f63a8c4beeb6df934ef03bf677be714665a99a7759ad407ef43907eceffdc1312eee1a4b5e66d

Download Submit
memory/2660-16-0x00000000009E0000-0x0000000000A05000-memory.dmp

Filesize
148KB

Download
memory/2660-22-0x00000000009E0000-0x0000000000A05000-memory.dmp

Filesize
148KB

Download
memory/2660-24-0x00000000009E0000-0x0000000000A05000-memory.dmp

Filesize
148KB

Download
memory/2660-30-0x00000000009E0000-0x0000000000A05000-memory.dmp

Filesize
148KB

Download
memory/2748-0-0x0000000000390000-0x00000000003B5000-memory.dmp

Filesize
148KB

Download
memory/2748-8-0x0000000001DB0000-0x0000000001DD5000-memory.dmp

Filesize
148KB

Download
memory/2748-19-0x0000000000390000-0x00000000003B5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing