urelas | c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46

General

Target

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
Size

690KB
MD5

f8781a2b82f220ca4ddbc4aa5c09902a
SHA1

817dc3e1e91c13a244feafbd7cfe97020d170ab6
SHA256

c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46
SHA512

046b33a6024b265eafee8ea1997acf07467904e5f2422e5e662e8def4ea896ba1928b82e96fc391fd2c1ef8eddbff2efa0fb786fc608d2a308959182db59e12a
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nA:dVh6gl6Iy8R9+ZdnnP94jpgl9BnA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	duzuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	qefune.exe

Executes dropped EXE 3 IoCs

pid	Process
3676	duzuw.exe
5096	qefune.exe
4204	vuavf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qefune.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuavf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzuw.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe
4204	vuavf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3676	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	82
PID 1600 wrote to memory of 3676	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	82
PID 1600 wrote to memory of 3676	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	82
PID 1600 wrote to memory of 3712	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	83
PID 1600 wrote to memory of 3712	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	83
PID 1600 wrote to memory of 3712	1600	c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe	83
PID 3676 wrote to memory of 5096	3676	duzuw.exe	85
PID 3676 wrote to memory of 5096	3676	duzuw.exe	85
PID 3676 wrote to memory of 5096	3676	duzuw.exe	85
PID 5096 wrote to memory of 4204	5096	qefune.exe	102
PID 5096 wrote to memory of 4204	5096	qefune.exe	102
PID 5096 wrote to memory of 4204	5096	qefune.exe	102
PID 5096 wrote to memory of 984	5096	qefune.exe	103
PID 5096 wrote to memory of 984	5096	qefune.exe	103
PID 5096 wrote to memory of 984	5096	qefune.exe	103

C:\Users\Admin\AppData\Local\Temp\c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe
"C:\Users\Admin\AppData\Local\Temp\c7fabd61f40cadc250b326cecc46cd525fcd851705c7169d80fd29e5e35b3f46.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\duzuw.exe
  "C:\Users\Admin\AppData\Local\Temp\duzuw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\qefune.exe
    "C:\Users\Admin\AppData\Local\Temp\qefune.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\vuavf.exe
      "C:\Users\Admin\AppData\Local\Temp\vuavf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f85114d286407861a66715f6206ff978

SHA1
933b7929d01b708ad51d86f6e7ce93eb13aec0ff

SHA256
f585590dc17e54708f0365142fa83de57b5ab95bfb4ab2ca95db4ef8ddde3d22

SHA512
d946a87a0a05311ddfa09d6524b3cafd59e3503b4a75eb49f527ef89585e3af599f543727d6ee5be1c7a2f8c2bfe444b4e5677d52710a686c87b8e88f2d61189

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
8bd75e61ee755abf59bcdaa5fc9fe36a

SHA1
b362569fff24d70418500d360df221690aeeee1a

SHA256
f0d21d371f83cdb0a667db4a30f2da9f48236a6efed5f044dc67ad0b7e3b27f0

SHA512
13c399bdfa8ab7563b00ecc02ab004e25a4818248623f27bd3579aff4476d0c14ed6961778379ba87cf2faaed24dad719f67501ee80e4cbc39286c8e8b86f19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\duzuw.exe

Filesize
690KB

MD5
009a078f1bb175698d0eada0dc34df8d

SHA1
1afe81ea2a173e22b3830934586e0b1322afc940

SHA256
4013b652b45edd8fba777b6f1233fc9cb3d77642684125d41ae412d93141875b

SHA512
ec118c5fe9883273deaabe7cd88262c46317cd5c4cbf057f645611131fbf75cbc1a0f922e0e9b563ac14050b74e9fa3fef5f27e5166ae42f338f294d2cc5682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f77c6e8f9fe22fc21970e436179e4ea

SHA1
687c0ba5a4c9983cdeb4723e6eea83ed1ee5f81b

SHA256
dc37fc379a82eb36153c09fe2b2f57e7c6c64ae1cc3231d268600c86c8dff75e

SHA512
68554a4835bbf4c9d67d4ec486bff5656e585786cb7ce5643e82fc4be4e630f7c79dc10757085b318db4dcd31f72dbb82f6ab42e4a056ecdd6d1a6a529fb26d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuavf.exe

Filesize
469KB

MD5
93608e80dd8119c2a95a04a210f67354

SHA1
c1bd3c678206b923fa5da6802c9f1d3a48fb97ce

SHA256
1cb09a1788db959e885fe6a2b68fc209acb61810dd95068e291bf261f8352b9c

SHA512
136bb20dec06cd455d59989a5b8c7746dd6f5235f05606bf26b410adf708a4c816bcc781fefbc52aed541d57013872798967d06ab595d00e32a6c17ebf63bd87

Download Submit
memory/1600-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1600-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3676-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4204-38-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4204-43-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4204-44-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/5096-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5096-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5096-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing