urelas | 5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757

General

Target

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Size

537KB
MD5

d20fee1a424647bee9f78e3942ba37f9
SHA1

a2c0bf2a4ce15eb5a151eadd37a1d51e9e87e3ac
SHA256

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757
SHA512

9bb9a502cee133b023d26d23e28a1037cb41f896e5c80e7e97f6e78eec42e53dceae1fa7600a9cd0bb9adb73b06f28be6442cb1eaada08de9afff8571a2b0e5f
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPH:q0P/k4lb2wKatH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	rivou.exe

Executes dropped EXE 2 IoCs

pid	Process
4744	rivou.exe
4912	fedoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fedoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rivou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe
4912	fedoi.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4744	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	83
PID 4060 wrote to memory of 4744	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	83
PID 4060 wrote to memory of 4744	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	83
PID 4060 wrote to memory of 1492	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4060 wrote to memory of 1492	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4060 wrote to memory of 1492	4060	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	84
PID 4744 wrote to memory of 4912	4744	rivou.exe	102
PID 4744 wrote to memory of 4912	4744	rivou.exe	102
PID 4744 wrote to memory of 4912	4744	rivou.exe	102

C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
"C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\rivou.exe
  "C:\Users\Admin\AppData\Local\Temp\rivou.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\fedoi.exe
    "C:\Users\Admin\AppData\Local\Temp\fedoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2eb983e8ced9ab28290b9e78fa44f80

SHA1
051ec107b9b7f56da21bd418b07489c414162000

SHA256
ad3ec2686dea0acd066b44085130ef74ac8fc02ac49452d000045557bade23b8

SHA512
df30a2c2b746442b37e4280e56605b0380a3f98bd0af45abb800f34cfd4fea33ace316131f1be74d0c1dcc720c29b4502d6a897a184ce9c89462b97d5a880332

Download Submit
C:\Users\Admin\AppData\Local\Temp\fedoi.exe

Filesize
236KB

MD5
a80b4797a75e88a791cfaa13d20d792f

SHA1
41cbbe99b8624e8c0b692b8bbb1f2b40f92708e6

SHA256
c4abe72de406e880240c18648bba709bc61281b88d32b9dca3dbac1cb173fe2c

SHA512
83cdfbd8fa9d99f3ebb7d997a3764c13e316a9bcbd301a4ad2b58dda818ed1a1563a4c7cbefeaebf0bedc81f5fd7313f4e09a3fa0d6f2d6e7a9d4f7f41cc9086

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2efc1347429c374d77f629d944fda579

SHA1
ae440ce57e206aca101a3e957aa80f426a16a17c

SHA256
dfce0c03be59549aa978a1c53d2311d0c6c537ad96455fe2a714e3efe6a1d92c

SHA512
a66785a17c3e51af5846fb6dbddde586080c973dab0bd12d9c10e30859e97fbfafcaa8aa9d560aa6af1e8290767b41cfe93f39ad7592b9b1406894bd8ee69635

Download Submit
C:\Users\Admin\AppData\Local\Temp\rivou.exe

Filesize
537KB

MD5
56bf5215bf932ec1416cf00ea338a38e

SHA1
366bbbbd2112c352ed7ae77f32175acb7de2808a

SHA256
3dd5887b15e07ee381a0a91c4917bbc458f9633fb746445e1ad7dcf16db120d7

SHA512
0c3632906179e1ff859c20bc181386132d30669b2835d8632cccd1cc6eedc5e2df5354fc9f07aa6169d96cee5a22870c8241a45343f4f8a6d7b789c0d15cdc70

Download Submit
memory/4060-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4060-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4744-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4744-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4912-27-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4912-24-0x00000000002C0000-0x0000000000363000-memory.dmp

Filesize
652KB

Download
memory/4912-29-0x00000000002C0000-0x0000000000363000-memory.dmp

Filesize
652KB

Download
memory/4912-30-0x00000000002C0000-0x0000000000363000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing