urelas | 0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6

General

Target

0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
Size

507KB
MD5

08be228d25d342d7d76e3bb621843201
SHA1

717d3fd3706ba34fe32f8e1fb356148b065d37bb
SHA256

0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6
SHA512

8f8d3ee48233f3a5c1f5ac6fb2d788e5968767b5a5f9cf01a78283c32e8f9197fb8531f6f615bb9e104c4d008b14874160f1a0f8e5786086eaf8c8c58bb3ebff
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHte:kLjQC+fs0M

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	tukoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe

Executes dropped EXE 2 IoCs

pid	Process
3196	tukoc.exe
2704	zufiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tukoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zufiy.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe
2704	zufiy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3196	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	85
PID 4308 wrote to memory of 3196	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	85
PID 4308 wrote to memory of 3196	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	85
PID 4308 wrote to memory of 3476	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	86
PID 4308 wrote to memory of 3476	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	86
PID 4308 wrote to memory of 3476	4308	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	86
PID 3196 wrote to memory of 2704	3196	tukoc.exe	94
PID 3196 wrote to memory of 2704	3196	tukoc.exe	94
PID 3196 wrote to memory of 2704	3196	tukoc.exe	94

C:\Users\Admin\AppData\Local\Temp\0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
"C:\Users\Admin\AppData\Local\Temp\0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\tukoc.exe
  "C:\Users\Admin\AppData\Local\Temp\tukoc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\zufiy.exe
    "C:\Users\Admin\AppData\Local\Temp\zufiy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
254912bb78910d0fbbc70995e6f392b4

SHA1
c33299a8d59e0f741e38c87badff83fd00e1c146

SHA256
317f363bb7a7c0b4cbd31a05085e1e712d7b6159509f3c0d0119ad8b383a5318

SHA512
717629c1c7915cddd57d6059eb03fc0a8b1844044fa829cd03ad24ef1e113a234b2d8efe70d07718a9ddd853ca264e27192e5331670f308e6401341f48e071c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2bd59bc3128c47a21e5630f124e09b84

SHA1
d86649ea91360bc4a1d3d50fe2426bdaeb3052c4

SHA256
61259d6554b48896d4f2b7fe45c62ccfe735cb99e99fc7cb5d4da91d1919ede9

SHA512
8fb85011ab3652fe9ab41b0d0fa4831601df59b5eda3510290efab6af3066742d99eb2a9716f672d094b6d727ab26e336796f95867acd87cbb9f4621ad0cc459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tukoc.exe

Filesize
507KB

MD5
db3a2128d1d63a0867783580d7aaf788

SHA1
eb529206e4f3c9fee1204c0011b4270a63166d78

SHA256
729b38538d7385aee32427d1555f418245ac210f9b85b07d993dfcc423388a2e

SHA512
a7aced763201fbcfb239a3a1baa5fdf731fb25c9e177040eeae142601fdc87e772488d69df89584e11ff89614fc28f0ad81b7e4482480950e21dfe5b8d43aca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zufiy.exe

Filesize
241KB

MD5
e09bdc6bc48e270972e66581a660f50d

SHA1
7e143dfa4de7e92b3cd4e8846156ed1e57eddcec

SHA256
a8a7fae0dbbb4bec52743c60081792a0e68e19ecc39b44007cee60bca404d8f6

SHA512
c7edbaf041c08b2dbfd0d74be24bee66c3de98fef106ceae6e6a440a039eae64bbd7bd280e9b4318d182edfbcf177e63ac5605f74118a34515f8ca9a28c45e0a

Download Submit
memory/2704-25-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2704-24-0x00000000000F0000-0x00000000001A6000-memory.dmp

Filesize
728KB

Download
memory/2704-28-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2704-27-0x00000000000F0000-0x00000000001A6000-memory.dmp

Filesize
728KB

Download
memory/2704-29-0x00000000000F0000-0x00000000001A6000-memory.dmp

Filesize
728KB

Download
memory/3196-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4308-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing