urelas | 163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34

General

Target

163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe
Size

334KB
MD5

092601aa9bd005c40f2ade0e114203d0
SHA1

c140bdacfd57ee5ba2dbf7ad65f087dbcb04e193
SHA256

163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34
SHA512

eddf969e06cf00bf81c116768830724c069f010d3a37293d6a41316fb815282d45e0690c6513102e7943b96a1637d9acff2cff6a3e691219ce5d9866dafb0957
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	nakad.exe

Executes dropped EXE 2 IoCs

pid	Process
3876	nakad.exe
3368	fanog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nakad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fanog.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe
3368	fanog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3876	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	83
PID 2816 wrote to memory of 3876	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	83
PID 2816 wrote to memory of 3876	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	83
PID 2816 wrote to memory of 628	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	85
PID 2816 wrote to memory of 628	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	85
PID 2816 wrote to memory of 628	2816	163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe	85
PID 3876 wrote to memory of 3368	3876	nakad.exe	103
PID 3876 wrote to memory of 3368	3876	nakad.exe	103
PID 3876 wrote to memory of 3368	3876	nakad.exe	103

C:\Users\Admin\AppData\Local\Temp\163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe
"C:\Users\Admin\AppData\Local\Temp\163b93332e85582c5953c7799db7127e9a0664a46853e18fff365f8f32090d34N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\nakad.exe
  "C:\Users\Admin\AppData\Local\Temp\nakad.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\fanog.exe
    "C:\Users\Admin\AppData\Local\Temp\fanog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b9a5945f422d9717cadb3a3c8003d139

SHA1
cc64f47a415741c4ea485ae64152b877dddf9849

SHA256
2e04ed1467c2166241c9ee3fea2d4fbda2752b9f284370ef348fbb26ff881b3a

SHA512
e56ad9e234a77bb37df11c6e149065e54e6642eb54a662be97dda4f38a16fa9fe80636550f330040b32223902f8b8aa5c81ae3ee9688c7a7ba6669ba91e47c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fanog.exe

Filesize
172KB

MD5
a90eb9ef71fd5fe7c0fd5a0b64d4e008

SHA1
4ce4bacba3d967723211ba54b8d5df7101fecaba

SHA256
eab651083f1467c0478f55c10ec96479a0cee897798c5412eef0a0889052a999

SHA512
4aa8be4a664a2180f7a9d77dc5f2c69e3edbf6ace4b4da25f639c82d80513ee4f72ddfdf02245918cd82244ae25f67ea851d4822c4e78df45ba3a7ecd13696ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7807bab289bcffd954e0ed32ff543cd2

SHA1
b8b8e2bf6547c28246f5a366689d50b7d4e58b1f

SHA256
1ea670521c1382c83017d222186d0eab1b8dd080d0bdfccaa676b24c919ed3e7

SHA512
559b45d76471a0ddfd1f9cbf640feb3e82bad1b304f6d01e1f85aa68bffc94c5b6923fe6c44d07a05219946e4bc8a1b4a769988693ea00ecab4fd8305de11680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nakad.exe

Filesize
334KB

MD5
9ef531d26d14bc621e5844c5cbd8d379

SHA1
b3ac42754c174112ee6ca1dc9d45328c3e477216

SHA256
3dc979ddd19d0640c22cb21ec6204ba4994dbfd7a3d078288f9a058ef53d4d87

SHA512
1574b35564a37308f1d22d2a925be19b5d05c4e81bea6aaf60ac997b6d3ef2f4128849c2456ac9cc34f28fed7a21d624550d5457be0bf6ab09f0e1d00055ccb9

Download Submit
memory/2816-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2816-0-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/2816-17-0x0000000000B50000-0x0000000000BD1000-memory.dmp

Filesize
516KB

Download
memory/3368-48-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/3368-46-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/3368-47-0x0000000001300000-0x0000000001302000-memory.dmp

Filesize
8KB

Download
memory/3368-41-0x0000000001300000-0x0000000001302000-memory.dmp

Filesize
8KB

Download
memory/3368-37-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/3368-42-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/3876-20-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3876-40-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/3876-21-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/3876-13-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/3876-14-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing