urelas | 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4

General

Target

4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Size

335KB
MD5

6b6d7280b40ecf8da84985d92247e200
SHA1

1ef07cafa873cdb3e748558ea6a92ff890757612
SHA256

4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4
SHA512

736c7e889bd4a8d957a25c6491532c8420edf0ff6f1f28e573cac3aa17cf11999caa793648d03e4c071f6a8fc63676067f5c67da89ce4604c1e9fc14ea43a3b9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	biynm.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	biynm.exe
1276	odjet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odjet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biynm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe
1276	odjet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1344	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	82
PID 1208 wrote to memory of 1344	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	82
PID 1208 wrote to memory of 1344	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	82
PID 1208 wrote to memory of 1844	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	83
PID 1208 wrote to memory of 1844	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	83
PID 1208 wrote to memory of 1844	1208	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	83
PID 1344 wrote to memory of 1276	1344	biynm.exe	94
PID 1344 wrote to memory of 1276	1344	biynm.exe	94
PID 1344 wrote to memory of 1276	1344	biynm.exe	94

C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
"C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\biynm.exe
  "C:\Users\Admin\AppData\Local\Temp\biynm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\odjet.exe
    "C:\Users\Admin\AppData\Local\Temp\odjet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
22222a2451e6d34a39b22f51cd34e504

SHA1
84c6c07bb4cea25b2dbe1c2e7d9cc7c67307e028

SHA256
6d2db47ebe8a8e93fbd985a7111986ff83d9a7e900c738840f9d4955be2066c2

SHA512
718ed487f7c7e54a3fccce5a523c11aeb4fb631b03f22bdc477a91a32238d936dd500df477562ab882e2cedee4c49a822a9593126178628c7d14d4b8c28c8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\biynm.exe

Filesize
335KB

MD5
2401f64f41965e2695e1d15419388350

SHA1
cd89ef2a8ea99ded4b76c0fddc9d87d1ff1c373e

SHA256
1767eb0284c5ad34f469bc5e11ac70a9ad3115a3c1d550e0fdda06712c39e13a

SHA512
6364631f5725e774d1dbc99e495c1b45ac1cfa2e254fe0e931f32e12b72b9c3f5fcb3c068bf30c557404e222ca0855f12e74e15d288de5b0e65b3faaa3da15da

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dbcb1b6678e69be465456ca81726329a

SHA1
2c6038990534a52da28ad5c3f0a4b8fbfa21eb42

SHA256
5ddf6414679263ae0ab7cb6a2bb81acb0c92ba20eeeb63decb617eaddf26640b

SHA512
410228732427fe0b4ca4b47f559da27315a6ffe25365d2bb4eb88ba629f0708c5facfcd7302065fbe7ad98d7f44ec7442fae0d10d3b86ec2c70b60a83edbe76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\odjet.exe

Filesize
172KB

MD5
0cbc11831abf839ed065c7d9cfa131c9

SHA1
b5f07edf1d43d539c064eb3e7eb89140094b02db

SHA256
23401af6952f2554fb23382b3d4fd6781de411e73335a46fb9a212b8f9b94011

SHA512
71dc487f0b1cfdad5c2d5c4666d85801b99a082084a10445d12b3ee01c3ad86ec7052845ff68e6b397121842da212a3e37b10e0b4a2ee8fdb75ff8a2856c553d

Download Submit
memory/1208-1-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1208-0-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/1208-17-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/1276-48-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1276-46-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1276-47-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/1276-41-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/1276-37-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1276-42-0x0000000000720000-0x00000000007B9000-memory.dmp

Filesize
612KB

Download
memory/1344-20-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1344-40-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1344-21-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1344-11-0x0000000000FC0000-0x0000000001041000-memory.dmp

Filesize
516KB

Download
memory/1344-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing