urelas | 9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb

General

Target

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Size

331KB
MD5

7eee5a9c09ab106a678b4e266607e694
SHA1

7a4f8588d6089f4b8e25582bc11dfa9e1302df84
SHA256

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb
SHA512

4ecb3d5966d401af3b4969563e8ccf3157c63b56a48b829d70eded05e7f1aee8a13241393363f6f62a73daa868a2e864dce2ca95b85190ba19ca59de1c9e5f9f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVRJ:vHW138/iXWlK885rKlGSekcj66ciERJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exeafbin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	afbin.exe

Executes dropped EXE 2 IoCs

Processes:

afbin.exeymfaz.exe

pid process

3524 afbin.exe
232 ymfaz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3524	afbin.exe
232	ymfaz.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeymfaz.exe9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exeafbin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymfaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afbin.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

ymfaz.exe

pid	process
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe
232	ymfaz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exeafbin.exe

description	pid	process	target process
PID 3504 wrote to memory of 3524	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	afbin.exe
PID 3504 wrote to memory of 3524	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	afbin.exe
PID 3504 wrote to memory of 3524	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	afbin.exe
PID 3504 wrote to memory of 4924	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	cmd.exe
PID 3504 wrote to memory of 4924	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	cmd.exe
PID 3504 wrote to memory of 4924	3504	9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe	cmd.exe
PID 3524 wrote to memory of 232	3524	afbin.exe	ymfaz.exe
PID 3524 wrote to memory of 232	3524	afbin.exe	ymfaz.exe
PID 3524 wrote to memory of 232	3524	afbin.exe	ymfaz.exe

C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe
"C:\Users\Admin\AppData\Local\Temp\9f1dddf78603182cb7486028fdc50f5115382ea331a21b88102b6da352780bfb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\afbin.exe
  "C:\Users\Admin\AppData\Local\Temp\afbin.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\ymfaz.exe
    "C:\Users\Admin\AppData\Local\Temp\ymfaz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6357433b9e289fbeedec0c4e4ea64826

SHA1
b1e70d0a33000976fee37bd86ec4b4941fe0e670

SHA256
26310e4f8e01c3574aee93d0394314e49692bb70bfc4562d80d09b66adb46428

SHA512
af021ae4d737d676154f27f5478f91afe8e29993abb71f4b82d2c04a62e4388323c5ed3bd6737f696f691828c587be114cda834375db1475e79e10a0e55b0ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\afbin.exe

Filesize
331KB

MD5
2f3a5709514591dad56eec17af68430e

SHA1
c2c1de50bc385bd43047ced3552a94589ad75a7b

SHA256
0411bc5f6c67a59548a3407849d642d9f67b10a0d6d3857ae7579c2ad8dcafe6

SHA512
21662ec5afc73f4097eb343cc81301b7eff78705bc59dbda9630d220b5ce552a244fe54b9329f93a9fa1cb23802865913aee22b92eaf3a6b6e379c1282fc0005

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4aad266ad8a96609f869d93b3850519d

SHA1
07036439f29c46caab6c3a144cebce67e6995019

SHA256
ab1e19b69698755a3973f6b9f445dcd680175bbfee7f1a13640f5559f38debe8

SHA512
96d338c08619bfb2d64a9012902188420fd687739f2ec0c45f012e81b520ad52d0917b92ab742928c2a521dc022a566c6cf61d7349ad39faca107e2ffc2f824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymfaz.exe

Filesize
172KB

MD5
f83c2b9dc411e362fdfb4bfc4f78cc8c

SHA1
9a66cb83f74d3830cc60009927fd3429cac2a4a2

SHA256
0cd2cf113c5429d42d2d95cd888f2d527c5fcfbd3e418fb285e6cf39d6df88b3

SHA512
f7eb20b72b1744ac7e260d9a6b9be276298f2c4e5219a3f6172839c455dbc3b1152e6aa7b12bfbd97c90940103754f251b630277bb2bb99fb47b53e366382ca7

Download Submit
memory/232-47-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/232-46-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/232-41-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/232-45-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/232-40-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/232-39-0x0000000000980000-0x0000000000A19000-memory.dmp

Filesize
612KB

Download
memory/3504-0-0x0000000000630000-0x00000000006B1000-memory.dmp

Filesize
516KB

Download
memory/3504-17-0x0000000000630000-0x00000000006B1000-memory.dmp

Filesize
516KB

Download
memory/3504-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3524-11-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/3524-38-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/3524-20-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/3524-14-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads