urelas | 19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c

General

Target

19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe
Size

68KB
MD5

4b843db0be5fe85a50d692fc422facd2
SHA1

8433f8a5dbf7a7098941e22428474418b96907c4
SHA256

19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c
SHA512

abccc913e6f05332febd6937ba89da0ee9805ea68f3539ef188f28d052a25c9abb9f0f0bc1c0db53957def83a762b5de5720d7baaef6135648f5c3267bb21ef9
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarV:yLAYUzmdD0sMQl7d7IuhCaB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2952	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	31
PID 2120 wrote to memory of 2952	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	31
PID 2120 wrote to memory of 2952	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	31
PID 2120 wrote to memory of 2952	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	31
PID 2120 wrote to memory of 2976	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	32
PID 2120 wrote to memory of 2976	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	32
PID 2120 wrote to memory of 2976	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	32
PID 2120 wrote to memory of 2976	2120	19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe	32

C:\Users\Admin\AppData\Local\Temp\19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe
"C:\Users\Admin\AppData\Local\Temp\19684c0ade8e1779e1646f2c407c164d0028f4f5a9adbb79bda1234fce67a16c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
27769172e46a76801e1f61a525388023

SHA1
29da50dccae7abbc4a69ef9ddd29f973aa27059d

SHA256
0ba6e9e7b454284c8b6a6f70371489823a138d549d5f0428e36635bca19fb4a5

SHA512
ddab8e0b2fbed99784e28b37c71368589c96c0dec5d8063d84788b3a43c40ef0ae2c2babc021e63c1b312e6516ec8a3ea0e99d4802e5da057d94567743b4c313

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
68KB

MD5
fab70c929a9cce6d15621c40aa988425

SHA1
907b63c7cabf32da6c9ad030da78a0c6950ad015

SHA256
fceba23df084b6419fd6c224317a903e117dc036b4781f921f818d522218b409

SHA512
326ff92384948c4293f26f43b07a27669eb4b8bc0dc234fefed2631ea3e11b7a12a0ae648c13bb44cac9cc528a6745817daa1982d85ad2deb7c35fab133494c7

Download Submit
memory/2120-0-0x0000000000A80000-0x0000000000AA7000-memory.dmp

Filesize
156KB

Download
memory/2120-8-0x00000000009D0000-0x00000000009F7000-memory.dmp

Filesize
156KB

Download
memory/2120-19-0x0000000000A80000-0x0000000000AA7000-memory.dmp

Filesize
156KB

Download
memory/2952-10-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/2952-22-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/2952-24-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/2952-31-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing