urelas | db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad

General

Target

db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
Size

454KB
MD5

d6860d113a4a3b7003723e279716d096
SHA1

bf76074e27517e5bddbbb391966fcb7071ae3a31
SHA256

db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad
SHA512

12534ba3a0a89b1eb472f3f9796eada1e5f96f78715992ac52720ee8dbe084e1a04220f8bbf64fdfebaf1f2117559abdc79623d8b69214b279106c8acbbc2b47
SSDEEP

12288:AyPHijVSuJqu4kwaeDPvjJ81VGqK6GvPH:AuCTq4waor+Gn/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	biefg.exe

Executes dropped EXE 2 IoCs

pid	Process
4232	biefg.exe
1912	qevoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biefg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qevoz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe
1912	qevoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4232	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	84
PID 2100 wrote to memory of 4232	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	84
PID 2100 wrote to memory of 4232	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	84
PID 2100 wrote to memory of 3608	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	85
PID 2100 wrote to memory of 3608	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	85
PID 2100 wrote to memory of 3608	2100	db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe	85
PID 4232 wrote to memory of 1912	4232	biefg.exe	94
PID 4232 wrote to memory of 1912	4232	biefg.exe	94
PID 4232 wrote to memory of 1912	4232	biefg.exe	94

C:\Users\Admin\AppData\Local\Temp\db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe
"C:\Users\Admin\AppData\Local\Temp\db459d00de42aa44b6737fea02731640e48c5b405baf9c9df4865af69c0939ad.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\biefg.exe
  "C:\Users\Admin\AppData\Local\Temp\biefg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\qevoz.exe
    "C:\Users\Admin\AppData\Local\Temp\qevoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
feebfe82e696ded0be5371b0de50ae5d

SHA1
accd7bd58be76a84f0dcf40e4a73b76447737fc3

SHA256
9b7c23be8f194a1365a53e130a1ea8d009fafc1b2badfc7436339438a6233f26

SHA512
2a6d5ff92856eceace47fa02cb658359cba61517e93c1f1466cfb82d236396f08ca3d11e224bcb0405c6ae625cdb82a81eb0772254dc2124c2ecc76ef5192062

Download Submit
C:\Users\Admin\AppData\Local\Temp\biefg.exe

Filesize
454KB

MD5
a5d631121967f7905c30d6563305062f

SHA1
d658817630413ace8a0312e360a23fce42bb11cd

SHA256
e222a863cb09a747aab0c761330c4791c396d64318cf56ccdb3e6ae8e188a2c7

SHA512
7578afef53f0eec48e75d8a818ed21d97511027048ebae331061bf9341e3af20246d7a218599f393694b47a3fdecd1408b8d5668a88c0bbdcf68efbba3de85aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a201646e7e7f4dbd34f7668ea7cddc2

SHA1
014f9daa20d96a2c6eb394770520c7a5604d61f2

SHA256
0fa2c2f98c865c7a36bfe8b17c335c06312b544f22e328221439a0231cfbb19a

SHA512
6187f005d4ec38105942e74b3899b9b47160cf0d57c72bc22569bc703e1598c6948cdf8182a174de2c18b8b7b63fbc2cd7ee04af7641c6b1f1edf3ca9340dc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\qevoz.exe

Filesize
179KB

MD5
991ce015f79d7ba628a43efad5efb9c7

SHA1
66868bd7cf9bd93d5a2ba7006acb717c87921c1a

SHA256
1acfe7697302481407d9d0a71bc87673f273cb8f2617009b9aefd2096c829c47

SHA512
614ec6c5a15a2bd3ee72e54d334659cf0d689ec846bac5ce85420d9147946fdcd6a49488af0d7b272e5bf090eaf3f8b2b583afa9b4eec8064338ef946ebe7666

Download Submit
memory/1912-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1912-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1912-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1912-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2100-14-0x0000000000960000-0x0000000000999000-memory.dmp

Filesize
228KB

Download
memory/2100-0-0x0000000000960000-0x0000000000999000-memory.dmp

Filesize
228KB

Download
memory/4232-27-0x00000000000A0000-0x00000000000D9000-memory.dmp

Filesize
228KB

Download
memory/4232-17-0x00000000000A0000-0x00000000000D9000-memory.dmp

Filesize
228KB

Download
memory/4232-10-0x00000000000A0000-0x00000000000D9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing