urelas | 528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c

General

Target

528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe
Size

93KB
MD5

1a0600b707b4259f0e20a55ef1ef5175
SHA1

7df8c2784b1d221848419b7fefdc461207fc5aa3
SHA256

528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c
SHA512

da6579af3ddf1f72582206c98f5204d8531fb0a57e6a87cc00b76082ff8c22b993ff250601da2956349f6fb39ff1f25acd54d271842d998100052f43ff880d45
SSDEEP

768:tp0ti4HnnhtwYbJy6rioyelmd1TzulQEDDPOwc5n5uNCT/jhhLBxQIwqepJZU9m+:tWzhtJbUgHoADDIx1hLfuJr+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2128	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1704	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	31
PID 2500 wrote to memory of 1704	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	31
PID 2500 wrote to memory of 1704	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	31
PID 2500 wrote to memory of 1704	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	31
PID 2500 wrote to memory of 2128	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	32
PID 2500 wrote to memory of 2128	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	32
PID 2500 wrote to memory of 2128	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	32
PID 2500 wrote to memory of 2128	2500	528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe	32

C:\Users\Admin\AppData\Local\Temp\528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe
"C:\Users\Admin\AppData\Local\Temp\528a01c489ede33b80523126e4d4a885ae495cd290a8eceb3821faf0982e942c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
16c2bcf1dae729c5cb36a1875efe354c

SHA1
775fbf4b6a2e5bc033b86cfc0893250b5d387a45

SHA256
796a881d71234f7fcd9f5220c6e5674e231610bbf37626d9e5b79dc3268b7bb4

SHA512
d8bd6cb6cb6ccd3c2cc40edde9cd3e8c09d1ae55c21ac1896325c324c08507e68c16d3864923806d29db79c57b958dac68e43bdcf809c0a2c8b5b0a7b8557177

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
902fecc50b6a254a99a7ac681ade05d0

SHA1
ab6cdade8a9bc0aa83bda769b3a2ad4d145c778c

SHA256
10503dd8e33a25f7cc77f5cd118b64790d386ffa1528fed8d8e0067ac4e34b01

SHA512
c84a7ebe25a6cf69e3f0a2e13238695c3dd5333b7a5a2a4711e22058e0fba9e6d414dedc1a9e48923bcca8dac9e0ad525c7351b8105759896a847c4bab95114c

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
93KB

MD5
4c120e246238965e6d4e9eb9387d0c0b

SHA1
b21aa0fa0b1e623bf4d5833cd08576ec95a15a86

SHA256
09881f2c6a0d1e69350f8b2fee3f73afeef02220ed761f1ee258a02e2113afcb

SHA512
5e9a07aae551a7209fe562b437acebad2b49548788f744ccf9f44af8981a1dcfc77ddf3722c58df46b9b65335e0321d7c8b3b75a2bbb6a1c1b14ed3b0ce14c92

Download Submit
memory/1704-10-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/1704-22-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/1704-24-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/1704-31-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2500-0-0x0000000001310000-0x0000000001340000-memory.dmp

Filesize
192KB

Download
memory/2500-6-0x0000000000A10000-0x0000000000A40000-memory.dmp

Filesize
192KB

Download
memory/2500-19-0x0000000001310000-0x0000000001340000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing