urelas | c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e

General

Target

c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Size

337KB
MD5

bb2fd47ba0745b3048eac29cb2d0e4c0
SHA1

6301acad5ed51e3fc37e71af6328c7d1690ce244
SHA256

c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e
SHA512

f91810d6129f6d7adfc29b48be049673957b89a05afd494eb4a8295478f19d1fe40e91dd383746cf485371ec72493042a85e615070d28539bb7e035dd00ac965
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWa:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	huzau.exe

Executes dropped EXE 2 IoCs

pid	Process
2020	huzau.exe
4368	vycus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huzau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vycus.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe
4368	vycus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2020	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	83
PID 4060 wrote to memory of 2020	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	83
PID 4060 wrote to memory of 2020	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	83
PID 4060 wrote to memory of 4484	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	84
PID 4060 wrote to memory of 4484	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	84
PID 4060 wrote to memory of 4484	4060	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	84
PID 2020 wrote to memory of 4368	2020	huzau.exe	104
PID 2020 wrote to memory of 4368	2020	huzau.exe	104
PID 2020 wrote to memory of 4368	2020	huzau.exe	104

C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
"C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\huzau.exe
  "C:\Users\Admin\AppData\Local\Temp\huzau.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\vycus.exe
    "C:\Users\Admin\AppData\Local\Temp\vycus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
dee0ff11ade44a6767cb97531821c2fe

SHA1
f303b64693aeee045c07df382da5251cc4352488

SHA256
1207aafa58d23e56206e87897fc849f15ed1e8aa372f265d41cc7227f6e3c32a

SHA512
87ac0dbe3d1fa247b9ed7eb260abe12e4ca35ef3b3263d68f02bcee4242c80421e31eb9a955a4a31c11eeeeecdacb416ef9bb2b5259da9743ff40f6346461b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d943e8626eb5b94462f0fe02211b1550

SHA1
e69cb7e42e17e3c457b9ca919d42c9ef2c830603

SHA256
640cf66d2b85776ba7c75bb2a6d862382c6f1c090f0b12d1d5bf01a3947f3dfd

SHA512
f807c9459ac538c48bd3617171bb7662d93d5a6c92d5de5ea85442f0b67060055f70ebdb849375cf5c835c5f15a1556a3735e6f28076b39aee56afe0e23a5c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\huzau.exe

Filesize
337KB

MD5
73d97486c35ebb41ec71b80a659578d1

SHA1
c5f71632fdb3f8ec4b3a939c70be21d4da4b6c1f

SHA256
44e5a9ffdf0511308c63718430998b61059fae0613e79a58b34a94ff1b8efe41

SHA512
bcaa80c95e1d073b7390a1708b7d3558ff3da5fb21e858ed8f54e1dbf549c71e61a9f451d83301e6fd15072de2dda31acef6843e514285c3af2ef24f7bb4cabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vycus.exe

Filesize
172KB

MD5
ccc863312ab8b0a9575b90f886e37fe5

SHA1
9d79acc76776a9607a80154cf9b71619cc1620bb

SHA256
20b31af79144fe46a327c077bf6c48408f52b1d9dba8c8b39e557713361affe6

SHA512
0f10a9820a57dfae0a708dded76412a28e4de3a938d3905a4757469182c7b24dac626c98011229cad947f72b7ecb4c21152dc769a22af630bdeb4429d4063658

Download Submit
memory/2020-20-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2020-13-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/2020-39-0x0000000000B60000-0x0000000000BE1000-memory.dmp

Filesize
516KB

Download
memory/4060-17-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/4060-0-0x0000000000870000-0x00000000008F1000-memory.dmp

Filesize
516KB

Download
memory/4060-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4368-37-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/4368-43-0x0000000001480000-0x0000000001482000-memory.dmp

Filesize
8KB

Download
memory/4368-40-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/4368-45-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/4368-46-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing