urelas | 910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b

General

Target

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Size

692KB
MD5

b53e591f1b41aab36a05fd560ec491ce
SHA1

683d8ce3f61a8b13f2b6803e8060d3708c6a61bd
SHA256

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b
SHA512

e3b9e38b6409080b15bff22a1db0db9e1bc2a1aaee006e755add83b9a32d54d1b4340e423917bef1ae244f08223f2127faabaf65e923173f339783674f4cadc2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr0:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exezymea.exekeipab.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	zymea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	keipab.exe

Executes dropped EXE 3 IoCs

Processes:

zymea.exekeipab.exezefud.exe

pid	Process
2148	zymea.exe
1012	keipab.exe
1040	zefud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exezymea.execmd.exekeipab.exezefud.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zymea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keipab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zefud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

zefud.exe

pid	Process
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe
1040	zefud.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exezymea.exekeipab.exe

description	pid	Process	procid_target
PID 5080 wrote to memory of 2148	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 5080 wrote to memory of 2148	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 5080 wrote to memory of 2148	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	83
PID 5080 wrote to memory of 660	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 5080 wrote to memory of 660	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 5080 wrote to memory of 660	5080	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	84
PID 2148 wrote to memory of 1012	2148	zymea.exe	86
PID 2148 wrote to memory of 1012	2148	zymea.exe	86
PID 2148 wrote to memory of 1012	2148	zymea.exe	86
PID 1012 wrote to memory of 1040	1012	keipab.exe	96
PID 1012 wrote to memory of 1040	1012	keipab.exe	96
PID 1012 wrote to memory of 1040	1012	keipab.exe	96
PID 1012 wrote to memory of 636	1012	keipab.exe	97
PID 1012 wrote to memory of 636	1012	keipab.exe	97
PID 1012 wrote to memory of 636	1012	keipab.exe	97

C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
"C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\zymea.exe
  "C:\Users\Admin\AppData\Local\Temp\zymea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\keipab.exe
    "C:\Users\Admin\AppData\Local\Temp\keipab.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\zefud.exe
      "C:\Users\Admin\AppData\Local\Temp\zefud.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
fc0c687e429f4e6ce0ff0707d753537c

SHA1
4db0d027fb00de586a8b9205fd36b81606f72d72

SHA256
417eda1fe2c91f5595bf8898777a7efdfe37dea6844397af6a2c9a19f4396292

SHA512
ab460c48858fe0428923f0a696a36b12cd39a012e0e8d9ae97798a4ae5f1b601f1e982f48deac62eaf2f0a20f9d658b8e5ad68d0ba1a6ec72bce6ad12bb3cfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3bb11abf472eedfe89b5bf0caab10e74

SHA1
c686cbf65fa756e2cfeaf176360952f57807fd9b

SHA256
27f5a5671678397caf1578351f606b743d5c14775d64dae3b7fdab655d40c1d5

SHA512
6260db89ef45bfa79ada347a42b3e15d4ebe5a25075086782f657ee8b51ad8661cfeb73478eeaa05d8a6c1ef93d2842b8c0cd38cc986289be0a0c8d55af43911

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1ee14f819dc9b3e774bd4c2632af4f04

SHA1
ad60e46fec76e275f9fec3dfa2426dc35121777a

SHA256
5477bd9b926b77eec496a6e1ad2041e911912a1bf6c5bd8c1d460cf5ad6228b8

SHA512
06e21f3687f0d9951f34eb83d05ed91f47659dbf2f609621f3451c460888f229655cf5141cc8b2e74a25d7279b2380cda3c47a5810454f83047a8b0f78cbf981

Download Submit
C:\Users\Admin\AppData\Local\Temp\zefud.exe

Filesize
469KB

MD5
cc79b047f5517ae9cb9f2e949551a68e

SHA1
14c188b4d60035623710b2f75c038a6f380753a1

SHA256
a6b797e7ee3bdd2928d5f59ca48e8488f943643f46c6fe73922144ca7f6db467

SHA512
a94426492795a6642cf127611a836614c4881debaf4b6705e57f6c26388ee99c99f2343e779e01f02011feb8342b5b3161d98d308fde195848a6cfd3495a5050

Download Submit
C:\Users\Admin\AppData\Local\Temp\zymea.exe

Filesize
692KB

MD5
d816ec5514faef99d43d7aa8ab7abe14

SHA1
a10d56a1806181ddbedc9b916ac3bf216e62f577

SHA256
f263d3422a7f2036500d49171de42c01c33364db9f686db9d582e0b1e54e64a9

SHA512
a5887214828eac3e46194c0bab978b3828754665e68c2d650b9bb33f4224bc26d9e5d733608e9cafab980f03fbc48d8ba3445a0c89f89ae14a0f506ca5d67123

Download Submit
memory/1012-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1012-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1040-38-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1040-42-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1040-43-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2148-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5080-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5080-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads