urelas | e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9

General

Target

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
Size

334KB
MD5

3234cf4c81bfcee023e8b2f5a4912775
SHA1

3fb4ee1ba10cd6670b2c301c376d59ee634a8259
SHA256

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9
SHA512

e8a8651bf6f2a34d9b3cf1471cf417704e40cda4d61a14e21eeb441f0a0ebe5a8553c96e1265e76ffc87b8365f210f1d91a1c96dbe020a6aff06cb9271cb581e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeagjii.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	agjii.exe

Executes dropped EXE 2 IoCs

Processes:

agjii.exevebyr.exe

pid process

4136 agjii.exe
316 vebyr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4136	agjii.exe
316	vebyr.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeagjii.execmd.exevebyr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agjii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vebyr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vebyr.exe

pid	process
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe
316	vebyr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeagjii.exe

description	pid	process	target process
PID 5104 wrote to memory of 4136	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	agjii.exe
PID 5104 wrote to memory of 4136	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	agjii.exe
PID 5104 wrote to memory of 4136	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	agjii.exe
PID 5104 wrote to memory of 4408	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 5104 wrote to memory of 4408	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 5104 wrote to memory of 4408	5104	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 4136 wrote to memory of 316	4136	agjii.exe	vebyr.exe
PID 4136 wrote to memory of 316	4136	agjii.exe	vebyr.exe
PID 4136 wrote to memory of 316	4136	agjii.exe	vebyr.exe

C:\Users\Admin\AppData\Local\Temp\e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
"C:\Users\Admin\AppData\Local\Temp\e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\agjii.exe
  "C:\Users\Admin\AppData\Local\Temp\agjii.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\vebyr.exe
    "C:\Users\Admin\AppData\Local\Temp\vebyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2499982d596b1d61beff3ab3af9566a2

SHA1
3ebde4128cbdfbfbfc31997c237b4ed443460477

SHA256
c297fd57b2ccd31d8489db15fd9dbc22e09976fd0ae254aba0d0b1d381e1e2b9

SHA512
0d0ff75cd0cefff027dc06c97919d2951813929ae35573659be335ec8cfa52473fcf384d2d3e53e7f76c5f895aaeb28c95555913631f3775ba3e996822d2f4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agjii.exe

Filesize
334KB

MD5
fc04f79c5148cfe10b5fd81aec36ce11

SHA1
d8936c5977169ce3ef35ad8c935a6155492fb4cc

SHA256
5a2a8f6595ecc1d8980b0b8bd1fc774631daf4bff1da697f573f7dfea8c94eb6

SHA512
66e778219ad7dd88b66bd98ce78ca57288fd4dc8d6b6508635b50d4fb7da50724e2ea9555de50fd132269341432caec562d0e5ebebec2b0fb9e1054783cff7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
23c5556d3f5c66e668a12297ce688eac

SHA1
e384ac6768d2aa81d83c15e586be15f8da7e183a

SHA256
a25ee5a371c59eb9be5a143158249d50844e4565eb9cd252834c12187610f1ce

SHA512
b053029f207760b869499f0aa3a69aa8b9a45023347810ad8e39fdb2773265cea9ea45123f75e0e14767767f0f78ec2c9e4fdfe347a55fcb4a5e991850b70a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vebyr.exe

Filesize
172KB

MD5
887e21f696957367a5f4d1e0ce183475

SHA1
8664af3d1dde7da4dd92dcecb78e706ef709968e

SHA256
318f4e77b98c9f35e9335e7803d48c78762c9360f5eaf1827039ed155df44af7

SHA512
56b78b4484f9541c9e8cf82e5bafdd2f5f53e81ed7312b79d7086fcaa4c1d22d28081764105f84226af99c8e494c742a0f8cbc11c02bb786c89ea57eaa7aed2a

Download Submit
memory/316-46-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-44-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/316-50-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-49-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-48-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-47-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-41-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/316-38-0x0000000000130000-0x00000000001C9000-memory.dmp

Filesize
612KB

Download
memory/4136-20-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/4136-40-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/4136-21-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/4136-11-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/4136-13-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/5104-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/5104-0-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/5104-17-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads