urelas | 59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d

General

Target

59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
Size

60KB
MD5

4da3a323043dd78c587899c1facff863
SHA1

1adc2362a27a6d6ebd4f607d8afa557f7428d8ec
SHA256

59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d
SHA512

fa314aff1bd710cccb47f125b5f3bceb6ec4f137e3b5fea5fd3866366413632de736049c52c1fad03ac995b0463f0a9e14214dae29c247d0ff39777c6c072918
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPr:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdM

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2488	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	31
PID 2464 wrote to memory of 2488	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	31
PID 2464 wrote to memory of 2488	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	31
PID 2464 wrote to memory of 2488	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	31
PID 2464 wrote to memory of 2896	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	32
PID 2464 wrote to memory of 2896	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	32
PID 2464 wrote to memory of 2896	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	32
PID 2464 wrote to memory of 2896	2464	59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe	32

C:\Users\Admin\AppData\Local\Temp\59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe
"C:\Users\Admin\AppData\Local\Temp\59b97bbc98517ca3522b4b127040747c231195806e839efeadd3017869255b0d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9077f9869275ddb205e1e83d58d8ccab

SHA1
d1679fd87486e865c6e0219d60045cba2ceb38d0

SHA256
d40f02bb7bf5c7215a59a75bbfe3c30cffdd1e884b6cdacd85e543ece79e4eea

SHA512
87a74e72809bf805c399de5925aa6b9c6922898450ff5d04e3d24bb2799e909e783cb1aa2f0afa611d54eef5366478cf3ee6f98edb1d56a08a2ea1dd8f3f47e4

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
60KB

MD5
dd4cadaebc7d5890a2d5be25c34a1002

SHA1
5f67097ab86f01f3add737ef7b421ad31662558b

SHA256
a8bbb9ca36ec1cb3ec6f49d786a19f527bb27b4040aa1d439cedf82752e113a9

SHA512
2506a73e5c3b793c9f78bdb8933eee2d79f195c4c8958d603287a8f6b924cfbd478d28e06b9ef899835f18ffb5eb9659aae8ce81098979eb81c7148ed757eaba

Download Submit
memory/2464-0-0x0000000000B90000-0x0000000000BC5000-memory.dmp

Filesize
212KB

Download
memory/2464-6-0x0000000000B50000-0x0000000000B85000-memory.dmp

Filesize
212KB

Download
memory/2464-18-0x0000000000B90000-0x0000000000BC5000-memory.dmp

Filesize
212KB

Download
memory/2488-21-0x00000000010F0000-0x0000000001125000-memory.dmp

Filesize
212KB

Download
memory/2488-23-0x00000000010F0000-0x0000000001125000-memory.dmp

Filesize
212KB

Download
memory/2488-30-0x00000000010F0000-0x0000000001125000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing