urelas | b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691

General

Target

b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Size

334KB
MD5

48c754b5a0b4931fb08ad6a060c6f3c5
SHA1

3056f95cc54e0a8ee01bb930e279e876c4bc1c45
SHA256

b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691
SHA512

bb175497b013686162ce71fb8112f16b4ab0746357612fd0fa9406b727ff3907ef7ec96459e3e05163e380cb84bd6a737667299c2ccea65df5579df9071d6b94
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9U:vHW138/iXWlK885rKlGSekcj66ciIU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	xebuj.exe

Executes dropped EXE 2 IoCs

pid	Process
3928	xebuj.exe
2988	opbio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opbio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xebuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe
2988	opbio.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3928	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	83
PID 3512 wrote to memory of 3928	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	83
PID 3512 wrote to memory of 3928	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	83
PID 3512 wrote to memory of 3188	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	84
PID 3512 wrote to memory of 3188	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	84
PID 3512 wrote to memory of 3188	3512	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	84
PID 3928 wrote to memory of 2988	3928	xebuj.exe	102
PID 3928 wrote to memory of 2988	3928	xebuj.exe	102
PID 3928 wrote to memory of 2988	3928	xebuj.exe	102

C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
"C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\xebuj.exe
  "C:\Users\Admin\AppData\Local\Temp\xebuj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\opbio.exe
    "C:\Users\Admin\AppData\Local\Temp\opbio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fcee18b4f5a4109143fc8d5fb58a648c

SHA1
c5151910f25c710befc931b38730f8ab3119067e

SHA256
148df7dbcaf5f4eab988643544f498c546cbc3ab0eaf32f9897bd85c773c3634

SHA512
85c86921fda408d6826d1af702cd01cc19d63a03b45b31ea40e372921adeef9281a119a8b9faa2924e4fbc6342f924e9f111be071a20fae89771e8a9e288178a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
feb3a5c4d484c079efe42353a87bf640

SHA1
83e7bf9790c6537817953d337d5bbb59c317c119

SHA256
7fde0709ef871feca6f64f664c0af19ebf120332e317babd4eb9df693e7ddd4f

SHA512
13e2015da4ec21d02a143589a9ad0625f2e583a02492bbe48014e1f8070862f2de4730f22d780648dc106ed7151f43cfd4050dbaa97824017b7cf5147806897f

Download Submit
C:\Users\Admin\AppData\Local\Temp\opbio.exe

Filesize
172KB

MD5
cc5af958b77015ba965eb773096c7c80

SHA1
55fb382ee2e48bc71d399b057cd3037c16f2437b

SHA256
8fd9fef02c70d5657ee9641dc2e51fec1a13c78c900908317927f3d6e35a5cc4

SHA512
b464e8aaa325d1bbc79fbfe9f37955372b2b6418d639bdcf161d6046882bd785d96456366037405ac2fea2a2ed6ae08a8c3d96b17b03797e88d854c95912d236

Download Submit
C:\Users\Admin\AppData\Local\Temp\xebuj.exe

Filesize
334KB

MD5
c500880bda6bccb69f30ad827253e5a5

SHA1
e5388cfee0c53f160e0055835142e4cbd414c4c8

SHA256
0c2c536cee64ae2f1366d5010b51ead68d051966d1638ccadde9a701efde68e4

SHA512
681399ed229c109ecf5d27db613ca44fafca35f8cdd15e60b6e8a5cacf74aa60ee6072eaa41e77518e2b3d262de1fd5a508e8a911ac58cbf8762214b425e92d6

Download Submit
memory/2988-48-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/2988-40-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/2988-46-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/2988-47-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2988-41-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2988-42-0x00000000005D0000-0x0000000000669000-memory.dmp

Filesize
612KB

Download
memory/3512-17-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/3512-0-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/3512-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3928-13-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3928-39-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/3928-21-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3928-20-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/3928-11-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing