urelas | b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc

General

Target

b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe
Size

67KB
MD5

dd8f32bd03bd2c2b69bb132c5a50b156
SHA1

afd2e4fc676ea01e158b4ce25d98fd1905c3367b
SHA256

b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc
SHA512

9b8b35e3d3e3f857ae27b656a1dce8ac0b794b45b69c0f4ceb697144d560105370edb5aab7d490dc9f3dfe5f8ce5e6d8e8438d85a167688ce089c2cfdaaaf046
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCare4:yLAYUzmdD0sMQl7d7IuhCai4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

1840 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1840	biudfw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe

description	pid	process	target process
PID 3080 wrote to memory of 1840	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	biudfw.exe
PID 3080 wrote to memory of 1840	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	biudfw.exe
PID 3080 wrote to memory of 1840	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	biudfw.exe
PID 3080 wrote to memory of 808	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	cmd.exe
PID 3080 wrote to memory of 808	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	cmd.exe
PID 3080 wrote to memory of 808	3080	b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe
"C:\Users\Admin\AppData\Local\Temp\b1bd190251729685089b1ed66829b3ee94e55ada26576d510780b53bcb46f8bc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
67KB

MD5
1f40c921277185acc736e290ce67ecda

SHA1
fb33235ab7949ffc938dfcaa18fd9b263ebc4ee7

SHA256
a2b277bf23beea0561541fd08c8166693aed7016302961289ffd926be0629652

SHA512
ff86e39f207229dd667ccdae048b4e69dbef184ed398ef53c4964803b101355668dc42fe5a11575c01b74ac172d6d37b630a6f19751a75e95a7872a7c8748839

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
5671ea5e4a77b0231ea2b4a2a4bd72fc

SHA1
750aacbcced22983bc6684bdabc232056278777d

SHA256
f6747741b26771dd260877d7f046cdaa2597541e7ba4e5973f6c6214f9549c0c

SHA512
6626c2f5eca8c3d9459ad41cfded016d80176e66411e608b060b919c79eb9292fa0634ccb3fb5babacd7bb4360f7d76713dc35f1afa64006088f6b83037121da

Download Submit
memory/1840-13-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/1840-21-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/1840-23-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/1840-29-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/3080-0-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/3080-18-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads