urelas | 2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870da

General

Target

2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
Size

75KB
MD5

cd32ae4b366337014b1272d4555117a0
SHA1

7ea4b34ec103835f9005566a84646458e635894b
SHA256

2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870da
SHA512

75e818488240d6e3fe980afaf1933e203fa0c5a9fa18ff9f111cd5b6a238c87f6b3718a7b305bc2382e338f0465309ef8e89d2e2453c7df434625ad0702ea819
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITo:Tk8yn7KdmTINQXzz4V

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2324	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	31
PID 2360 wrote to memory of 2324	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	31
PID 2360 wrote to memory of 2324	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	31
PID 2360 wrote to memory of 2324	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	31
PID 2360 wrote to memory of 2112	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	32
PID 2360 wrote to memory of 2112	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	32
PID 2360 wrote to memory of 2112	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	32
PID 2360 wrote to memory of 2112	2360	2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe	32

C:\Users\Admin\AppData\Local\Temp\2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe
"C:\Users\Admin\AppData\Local\Temp\2b7c179266b8f5b648eace2f808a28e1ad7b2fec92113daaa49518d3d27870daN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
75KB

MD5
29947e488c9bcf1007a4f3eb81e04d34

SHA1
f6bd6617f6df396e539e963fa7e09c925d2a4161

SHA256
b4e009eadea70ec190ca0539f59f69504d091ee14873900fd54d90a13ebfe4f7

SHA512
7e2195284c4f950f37a31a90065211bfd92320fbbc5b728354c76888afec4fddae65ed7c4671af6e8e994f98c1b4b13c11f42d6e687abb8836592354fb487bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
7c1682ad30ef63f0047e1ff02531ce89

SHA1
7cf164e6fa8ce052d7149e836a1c1b9c823ddc82

SHA256
af47b9a19c28c9bbb02c0eea340c0196644bb98bf856fef0d03c19e356c2b90c

SHA512
ab51ec3a1d980bab469ad1e6e4702caa35b3febfc9a7736bf340d485495b5e75e0db6f77da37f0f451a01a528e431bcb173ddb9ccb9b7fd2fa33d890c3b50265

Download Submit
memory/2324-21-0x0000000000F30000-0x0000000000F5F000-memory.dmp

Filesize
188KB

Download
memory/2324-23-0x0000000000F30000-0x0000000000F5F000-memory.dmp

Filesize
188KB

Download
memory/2324-29-0x0000000000F30000-0x0000000000F5F000-memory.dmp

Filesize
188KB

Download
memory/2360-0-0x0000000000D80000-0x0000000000DAF000-memory.dmp

Filesize
188KB

Download
memory/2360-6-0x0000000000640000-0x000000000066F000-memory.dmp

Filesize
188KB

Download
memory/2360-18-0x0000000000D80000-0x0000000000DAF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing