urelas | e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b

General

Target

e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
Size

57KB
MD5

925597f9fefce73dd4bbd37750f223f0
SHA1

29d996364960f85edc3924fe6a370e04af6b2ea0
SHA256

e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b
SHA512

7e3e1807ea2aca5f662d78c36a7dfa969be3708bc14c2a4532d0bc6f61de3f1014112c29f62939c58a57dbb046bc252ecc4d8c1ce0e3f55bb13f57b2ae88535f
SSDEEP

1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8N/U:MOemdTd1o74qlmbbJ+x+Ik3U

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2732	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	30
PID 2648 wrote to memory of 2732	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	30
PID 2648 wrote to memory of 2732	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	30
PID 2648 wrote to memory of 2732	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	30
PID 2648 wrote to memory of 2656	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	31
PID 2648 wrote to memory of 2656	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	31
PID 2648 wrote to memory of 2656	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	31
PID 2648 wrote to memory of 2656	2648	e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe	31

C:\Users\Admin\AppData\Local\Temp\e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe
"C:\Users\Admin\AppData\Local\Temp\e5c7b1ef09cd55ccf5394e8bfd90f68877c3c136f4e160b0ddea3fbee360986b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
20189a063699354ac63a79a81a59414c

SHA1
ade200f6a788ce6202c69656d2a0e50c33124589

SHA256
47f89d3dc7ab4f57443dbf6e7b04e1f84d3d9a2fc0774996f2610c280af123aa

SHA512
83b48edc2e043f04a48f3d657196433cf778e119f1bf8ede76a4bb1429bfee52b7cdeb73a39599d152a2a7a88242e5780660a4acf3cebc6e30c2d1c7d05be674

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cdc8777d33db85bc19aefb64879a7f7

SHA1
f2d494d4dfe93a05eb58513935196e8578648adf

SHA256
9af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336

SHA512
34b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9fa71dfe7f6ca6af48f2103ae73a6a2f

SHA1
ca298bfe5ae31932fb7a2c7fac91f3e1cf70bbda

SHA256
2d50874845add853f504652a17739285762ace1ddcf6b11bb6cac6478148e3e0

SHA512
dcaf82db44233d8559bc07b3501eb3495a8a391695a689a9ea41e955e02954321db3ef9825a98f1f280d7073a43bc0b892a0556ca7de4ee5c8f9f2d18615a8f6

Download Submit
memory/2648-0-0x00000000013A0000-0x00000000013C6000-memory.dmp

Filesize
152KB

Download
memory/2648-9-0x0000000000500000-0x0000000000526000-memory.dmp

Filesize
152KB

Download
memory/2648-19-0x00000000013A0000-0x00000000013C6000-memory.dmp

Filesize
152KB

Download
memory/2732-10-0x0000000000EA0000-0x0000000000EC6000-memory.dmp

Filesize
152KB

Download
memory/2732-22-0x0000000000EA0000-0x0000000000EC6000-memory.dmp

Filesize
152KB

Download
memory/2732-24-0x0000000000EA0000-0x0000000000EC6000-memory.dmp

Filesize
152KB

Download
memory/2732-31-0x0000000000EA0000-0x0000000000EC6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing