urelas | 046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335f

General

Target

046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe
Size

57KB
MD5

285308562ad6dc36c6467f77c0893400
SHA1

0fbc48370821de4d4d752cf198c1f9c59e8ec021
SHA256

046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335f
SHA512

ef1b5d3032467decf7d26059ae1948aa91d83d2faa3488bf4b63572cf408492815a30ab7f7a4693d37da6228eae3dd45c85359a0d876c76a0cb16f2ff41be1d7
SSDEEP

1536:amZ+4hcuX5uZ79jmvFQTXnz9yQ/PFBhl17:amZ+luXwy2f9LDhD7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2364	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3068	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	30
PID 3060 wrote to memory of 3068	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	30
PID 3060 wrote to memory of 3068	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	30
PID 3060 wrote to memory of 3068	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	30
PID 3060 wrote to memory of 2364	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	31
PID 3060 wrote to memory of 2364	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	31
PID 3060 wrote to memory of 2364	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	31
PID 3060 wrote to memory of 2364	3060	046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe	31

C:\Users\Admin\AppData\Local\Temp\046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe
"C:\Users\Admin\AppData\Local\Temp\046f13c3e6ff4b7bbbcae88e5019d32dfef6475b968b45d5341974d213f4335fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
26625b4ca7658f7ba4dc7d982782323c

SHA1
574aa314998c39e683675ccf457b0305341a4aaf

SHA256
c494e0ffeee72023dac244366c08072f677ba328ba805f9e480abc2824e99283

SHA512
5a9af4c6be10240dec0d33b37bc6f6836f1db5d0a2a9dd158d63848a8a97dad68e2d9217aca2b2d1cf122d9534aba0d23b247f6686c4ff934bd7035a927d9b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
c87a0a6397f41a76a39224c9a317f4f4

SHA1
d9ceeb4285d41c81acae626b8e12612130561ee6

SHA256
0d74d2b3325290a9cf23c84393c9805525a3e364da08dd01b8679db2512ee3f3

SHA512
d04794c13d41b03bf90786ed05f7ef88772a952b6a59336b02aa0785a0fc35b8025c24cc2c3c93d7f548f36b56829836a900e2d0962283379c32ac25745eaef6

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
57KB

MD5
6d7de70e946cdf82a6c4d990ed1479c3

SHA1
3c214071d93981b2e97963ba04defd9615f61ab2

SHA256
ac88c07837b1765fd39ef265e0b719555723c6e8eabfe231605ed004a9b1f644

SHA512
fcdbfd9b7f45ec69af8752d8d20792ea124a28f853096e7ef495b2752e30099ff1bf363887979f6b66e8dd7b8d90507193b87b7defa5843ce9de6767c0a597d7

Download Submit
memory/3060-0-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

Filesize
200KB

Download
memory/3060-16-0x0000000000570000-0x00000000005A2000-memory.dmp

Filesize
200KB

Download
memory/3060-19-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

Filesize
200KB

Download
memory/3068-17-0x0000000000FE0000-0x0000000001012000-memory.dmp

Filesize
200KB

Download
memory/3068-22-0x0000000000FE0000-0x0000000001012000-memory.dmp

Filesize
200KB

Download
memory/3068-25-0x0000000000FE0000-0x0000000001012000-memory.dmp

Filesize
200KB

Download
memory/3068-32-0x0000000000FE0000-0x0000000001012000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing