urelas | 847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8d

General

Target

847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
Size

335KB
MD5

a22fbfce60dfe222e0b61763b913d860
SHA1

d19007a17a6a53bdd96a70a6172f25a0e2009595
SHA256

847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8d
SHA512

b642e2885b8dfca1bdbdd81dbc402e3aa20950c22ca1de9bf3905784877128a33cdb3948d8ce328c65bfab74961006ab073f2de65309a8cfa3141c27e5fb9953
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIo:vHW138/iXWlK885rKlGSekcj66cii

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	rupin.exe

Executes dropped EXE 2 IoCs

pid	Process
3188	rupin.exe
772	ygezk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rupin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygezk.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe
772	ygezk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3188	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	85
PID 2260 wrote to memory of 3188	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	85
PID 2260 wrote to memory of 3188	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	85
PID 2260 wrote to memory of 1756	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	86
PID 2260 wrote to memory of 1756	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	86
PID 2260 wrote to memory of 1756	2260	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	86
PID 3188 wrote to memory of 772	3188	rupin.exe	106
PID 3188 wrote to memory of 772	3188	rupin.exe	106
PID 3188 wrote to memory of 772	3188	rupin.exe	106

C:\Users\Admin\AppData\Local\Temp\847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
"C:\Users\Admin\AppData\Local\Temp\847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\rupin.exe
  "C:\Users\Admin\AppData\Local\Temp\rupin.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\ygezk.exe
    "C:\Users\Admin\AppData\Local\Temp\ygezk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d3e628636d94363250cfdd3c2e1dfa2f

SHA1
c5628eb2dfd37c4860f1f4b391e98acbe64e203e

SHA256
614408851b02ce04b30b00b36902f756c4197503dbf857bfef18affc34d04698

SHA512
78d7d27021a271a7c33a6837ad3f333511341295b9e1730943d7550aa8cd410dcfddec872f5a954b7e058df8ceaabdd73587728bad2eebe7cf19fd555dc51670

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7f95992393a445d827b54262325a1439

SHA1
2849dace240816889e1d84ca07fc3d7d25bb063a

SHA256
1a7d9625ba6bd631e93eb10c8264bf9addffdee11d0741e11b7c98749c3c0b97

SHA512
cf2a1c666ee4f768ecf287376086dab1889ebb487be4a312a6eedb9b175f2616e36a351d120cc3cbf55dd81280ffee0769a44b0aa4e8046a16f56ca0d5e62c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rupin.exe

Filesize
335KB

MD5
26669ab268a41f21b9027e02dbf90fce

SHA1
4f9662237d8bce2f844e2351dfa068184953f78d

SHA256
91f9adf067268320f130f550abb7285bc1e80a25bb014a43f191f1bf17fddc14

SHA512
8abab45a7ee29bf743152305d2eff2044085cb9991d71e5b83b88272bead000d5abfa96ed609a930260a0981125ae032fe9ce845e36894feec7527fe45dd8f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygezk.exe

Filesize
172KB

MD5
1cb7caedb8e27db132b969189423b37d

SHA1
d9d97f48ad925625dd6db7a747a9a05ddadea6c6

SHA256
75d5ca835a2bc621f4bd2b9ae3f202248ecd4a6869f51d67760637f577481d62

SHA512
f6c7a25bd686e4e617edcc5a4e52f6d73d48bfce8269c710adc9fa4ee4d2f2881236800428b5c3a9dc03964e098366154b9ca6d486e30d30d02812990bd783a3

Download Submit
memory/772-47-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/772-45-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/772-46-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download
memory/772-37-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/772-41-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/772-40-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download
memory/2260-0-0x00000000007C0000-0x0000000000841000-memory.dmp

Filesize
516KB

Download
memory/2260-17-0x00000000007C0000-0x0000000000841000-memory.dmp

Filesize
516KB

Download
memory/2260-1-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3188-13-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3188-39-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3188-20-0x0000000000790000-0x0000000000811000-memory.dmp

Filesize
516KB

Download
memory/3188-14-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing