urelas | 7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d

General

Target

7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
Size

338KB
MD5

3e4c16d9130d98dfcf7ca845d4c34b80
SHA1

c72fca9756823d85ec81ca9856cce7604a49e0e7
SHA256

7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d
SHA512

9788b0f06265a0f19e66fc4ed97559b861534b3896cfd7bb78ac6b4f4707894a4ec76963970331bfeb37b95e1281c5492689906e0bfe1cb581c459530dfae5ef
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWE:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bihul.exe

Executes dropped EXE 2 IoCs

pid	Process
4660	bihul.exe
3620	yblod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bihul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yblod.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe
3620	yblod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4660	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	83
PID 3652 wrote to memory of 4660	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	83
PID 3652 wrote to memory of 4660	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	83
PID 3652 wrote to memory of 4576	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	84
PID 3652 wrote to memory of 4576	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	84
PID 3652 wrote to memory of 4576	3652	7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe	84
PID 4660 wrote to memory of 3620	4660	bihul.exe	104
PID 4660 wrote to memory of 3620	4660	bihul.exe	104
PID 4660 wrote to memory of 3620	4660	bihul.exe	104

C:\Users\Admin\AppData\Local\Temp\7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe
"C:\Users\Admin\AppData\Local\Temp\7336773cda35ca7da53e9ce3454d2f5094fe7d20e79397c338814106b94b6d7d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\bihul.exe
  "C:\Users\Admin\AppData\Local\Temp\bihul.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\yblod.exe
    "C:\Users\Admin\AppData\Local\Temp\yblod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
569d6c89e11fb43d80a460ee3263cd13

SHA1
9e235ce57c6aa2cf7ff57f82415db66b6fbc8323

SHA256
ae10a167e94897ea24d4e22c0333a0e7db867aa82be2625043dd809a705bcfd0

SHA512
0965a06333d79695224bd0b1cbfd48460ad128630e99cd97bfb05dddf388e23504ec85b2572225b9e099dc42cadb2bcb8b8bf047172f87101364ff9bf6466667

Download Submit
C:\Users\Admin\AppData\Local\Temp\bihul.exe

Filesize
338KB

MD5
68f0ade566835ddc4d0afb7cd13b88bb

SHA1
e5c4b127d212765a2c0bb5bab74c6b9b808f8d5d

SHA256
3c67c0480ebd51b50857e559480ba28d1f3225d77ded8829ee69f2c874145d72

SHA512
8edcbad0270eb625abb1092696cf65e8f0ad56076d0b17f3fb822913a1bc9e130c311dc9e43811171d73f8998c1eacc1b2aabf236bfe26ab98e3353270034feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8181049a13410c24b4cc56e85e163693

SHA1
fbbf7359f223caa5a958af0436e860b0f747657b

SHA256
b7795a27a6bf9ef649bed53a34c1ea0bcb7fb258bbbfa91e4a394ba261c2a0a8

SHA512
15e75ccb7ec98678db379748ff397faca39ffdf0be8a51158b1c67e46b89e494b405b047d633a5adb6ffbad7a7ff91bc9775de400a4185480c8726d162d058ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yblod.exe

Filesize
172KB

MD5
8bec3444573058a250c1c5e2dd0ead91

SHA1
bb1f942b219c065b62a7ca3b4cc122a56d708d65

SHA256
c0a77ed63159cca9cb2b4c26cdd210033b89a10010eb4de6b73a68b8eff503cb

SHA512
492b7b76f49bd17f4cd4a32a6596a69b4cddb121aaf390760463a9ce6ede4968994e7f83cb9b538b7e827dc010f2b263ee410208b4dabf0a7c2deed4040d368f

Download Submit
memory/3620-41-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/3620-46-0x00000000003E0000-0x0000000000479000-memory.dmp

Filesize
612KB

Download
memory/3620-45-0x00000000003E0000-0x0000000000479000-memory.dmp

Filesize
612KB

Download
memory/3620-36-0x00000000003E0000-0x0000000000479000-memory.dmp

Filesize
612KB

Download
memory/3620-38-0x00000000003E0000-0x0000000000479000-memory.dmp

Filesize
612KB

Download
memory/3652-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3652-17-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download
memory/3652-0-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download
memory/4660-20-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/4660-43-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/4660-14-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4660-10-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing