urelas | 53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36

General

Target

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
Size

448KB
MD5

237bf8b80379fecacc1952cf482542a9
SHA1

07c0b8b89b202ada728a9f8a2ee0b967bbe42ece
SHA256

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36
SHA512

ba08ecc6e6acb0dd8d552e7f8a376263aab28a364912edf921c2f25d7e125959616e3052773b4438b5fb94ae91074e1ec3a278f6edc5440be2ac1769220430b2
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exefuluv.exehiunto.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fuluv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	hiunto.exe

Executes dropped EXE 3 IoCs

Processes:

fuluv.exehiunto.exeguqae.exe

pid process

3384 fuluv.exe
976 hiunto.exe
3604 guqae.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3384	fuluv.exe
976	hiunto.exe
3604	guqae.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exefuluv.execmd.exehiunto.exeguqae.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuluv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiunto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guqae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

guqae.exe

pid	process
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe
3604	guqae.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exefuluv.exehiunto.exe

description	pid	process	target process
PID 2020 wrote to memory of 3384	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	fuluv.exe
PID 2020 wrote to memory of 3384	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	fuluv.exe
PID 2020 wrote to memory of 3384	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	fuluv.exe
PID 2020 wrote to memory of 3488	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2020 wrote to memory of 3488	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2020 wrote to memory of 3488	2020	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 3384 wrote to memory of 976	3384	fuluv.exe	hiunto.exe
PID 3384 wrote to memory of 976	3384	fuluv.exe	hiunto.exe
PID 3384 wrote to memory of 976	3384	fuluv.exe	hiunto.exe
PID 976 wrote to memory of 3604	976	hiunto.exe	guqae.exe
PID 976 wrote to memory of 3604	976	hiunto.exe	guqae.exe
PID 976 wrote to memory of 3604	976	hiunto.exe	guqae.exe
PID 976 wrote to memory of 1556	976	hiunto.exe	cmd.exe
PID 976 wrote to memory of 1556	976	hiunto.exe	cmd.exe
PID 976 wrote to memory of 1556	976	hiunto.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
"C:\Users\Admin\AppData\Local\Temp\53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\fuluv.exe
  "C:\Users\Admin\AppData\Local\Temp\fuluv.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Users\Admin\AppData\Local\Temp\hiunto.exe
    "C:\Users\Admin\AppData\Local\Temp\hiunto.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\guqae.exe
      "C:\Users\Admin\AppData\Local\Temp\guqae.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
282098bdc9beb730e3c63dedee02896d

SHA1
fedc685b7b6ef60a285a1c4efa8f38594201fd67

SHA256
30aada39f0b857d5fa3430f4f386771948d3016e179bd8dabfd6cff76b8d3b75

SHA512
3c8269a979dfcdcbee307c8a9191ff7c8a086079e88c3bd3b4954ee3198ae076d97fe52e96525a25926eabf22453d46fa2aba9ab9b744cc67d3d5e27b3485e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
015cb43f9dd153167f33b8d295d9b3ff

SHA1
f0498b3730e6209cbef40d79b68e2c4a6fca13e5

SHA256
220c8b59c993f34ce4c60870c42b4c6d9cd2d554abe906350033f183e890428e

SHA512
2e98ab68617f58c965da4bbbcc09f1dee5dd4157c409de0809e265f707b037b581cb851d5b4b5fa043280d71a42030d9d88f80c31034dbae608921e4dabd4898

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuluv.exe

Filesize
448KB

MD5
3efb1d4ca2dedec528737e80f146c6c7

SHA1
c43614bfdd39761833ceee0cdebb991371bd0d76

SHA256
47f20c0e111d7779931d7df70aa5cff65d4b1a89cb42f874996c088fbffc3cdf

SHA512
3f9e055a9bb1d95a7e022626de39dd3df528e1b0687bbfba6712e45f130d3b89f6d4b328673160aa4acc070ca28eb83303d59a635ed41b8b567579c72ce49c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b9d4f6aae1568f8ef96436cc60d9c9f6

SHA1
36b696cee4ad95201887c096b90cc0598b5dad93

SHA256
1ab1f86d069f316891efa4ca21538362e1d70a963e352c300272ca8f85a7c6f7

SHA512
f2e78de9316ffff82085e0b34af6852ccd19e16bbd5fa8a36bb007ca967310b7ba9fb7979b05164a7435e96b3a56a51f0e700f04206d4a8db61dba27b1c9c924

Download Submit
C:\Users\Admin\AppData\Local\Temp\guqae.exe

Filesize
223KB

MD5
10709ce90529b0312239293149dc50cf

SHA1
b0c2bf6861f4fa6de0ca5e37479ea0c55a442a13

SHA256
06f86965f194e234ddff712dcb5959ce2788c608fc9b02e5c78156826e2960a1

SHA512
250edb7035b8c746c4c53f7b0999e324d61990fe7880b68caab2032a782033a4e01e20977f4a48cca655d08e5a1bfe00ba1099aad5f9f876d0e39658d13dccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiunto.exe

Filesize
448KB

MD5
7b777d28b0ea7b1c50ea521c8d917cd2

SHA1
463afe468c323dc8daa7f138a0abeafcbea9e1b4

SHA256
5af792729666531165e54131639ccffe415f778e7d23ee8ae8009cca178fd8a0

SHA512
c595a5568cff71b364d4ca618fa36c6a632a8f34ed8d2628f9b89fdc02f4ef01508f3e9fe5da43f4a1054c8e834c9a973c6d5a1d2c1d54103d73819fe17784f7

Download Submit
memory/976-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/976-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2020-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2020-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3384-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3384-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3604-37-0x0000000000950000-0x00000000009F0000-memory.dmp

Filesize
640KB

Download
memory/3604-42-0x0000000000950000-0x00000000009F0000-memory.dmp

Filesize
640KB

Download
memory/3604-43-0x0000000000950000-0x00000000009F0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads