urelas | ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0

General

Target

ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe
Size

51KB
MD5

21301ab6a0336f6a17eb12762538cb4c
SHA1

41c8a1d774c3530883cd8acb2881fc86a4aa6bae
SHA256

ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0
SHA512

234889892eb2f33ec1d504afab11f80819f6eb34a271a82ef9a7862d699a11c021fbd14d87eaacc3f8aa16ebffb2155149e57c4bede241301806f121d5d3e609
SSDEEP

1536:h+Ds6ClDXuqweo/0khAUnJDgabGsVy6umfFlPhPo:KsdXfBo/DBJBGzkP5Po

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	shoste.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shoste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2852	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	30
PID 2260 wrote to memory of 2852	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	30
PID 2260 wrote to memory of 2852	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	30
PID 2260 wrote to memory of 2852	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	30
PID 2260 wrote to memory of 2480	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	31
PID 2260 wrote to memory of 2480	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	31
PID 2260 wrote to memory of 2480	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	31
PID 2260 wrote to memory of 2480	2260	ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe	31

C:\Users\Admin\AppData\Local\Temp\ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe
"C:\Users\Admin\AppData\Local\Temp\ff6a40f79bfc33aa80104f1fb3e1cd7b4008cb2eca0a160d7a7f737ad1b15bc0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
5c097bfa3c8a379c070b1a53006a9060

SHA1
8b8be2479a0dc2b353540f7e699ab91fb603f1db

SHA256
1679c4e6fd29576a17ef28d6c41859f8582ebf70aab783acdf2fef1f035cacc4

SHA512
d93556917c6d5e816a6656e8d5afa0ea4ac31a7477b24731d00bf7c4bc8ccf561c1d212fdf2e40c4adfd606c4f3ece4802e8d6c32f1b3428a8d25d98d8d67264

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
51KB

MD5
3cbe3f47266de3a8c9f020de8fbcff9d

SHA1
bb7e49add98824c69eb6869ef4c2d4450dbe113b

SHA256
b12ecc9052a30a6d0cd94c1b41b579af520a10db151e25500380a5ebfb9ffa59

SHA512
08e7987ae31ed7384387264a7175873ab742a17f5acdfa1faad6cd8dfc597860caeb6c2fd23a62f2c86020c9acc2a9e6db254a52ade8ce793d0886348944f891

Download Submit
memory/2260-0-0x00000000009B0000-0x00000000009E5000-memory.dmp

Filesize
212KB

Download
memory/2260-8-0x0000000001EF0000-0x0000000001F25000-memory.dmp

Filesize
212KB

Download
memory/2260-19-0x00000000009B0000-0x00000000009E5000-memory.dmp

Filesize
212KB

Download
memory/2852-17-0x0000000000FA0000-0x0000000000FD5000-memory.dmp

Filesize
212KB

Download
memory/2852-22-0x0000000000FA0000-0x0000000000FD5000-memory.dmp

Filesize
212KB

Download
memory/2852-29-0x0000000000FA0000-0x0000000000FD5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing