urelas | 3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9

General

Target

3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe
Size

327KB
MD5

79a6264afe124aa105ffe7a9dcf6e7a2
SHA1

3d05e68e1ab46578a4788969879a6a1cb972ca9b
SHA256

3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9
SHA512

0e89d063035bd765162c487d2214190e4fae4190301cdaf0e131e4e2d941e90327bf3693d412f2338b4a6703c73b84788d3a86e97eee3897e9782c0229baabed
SSDEEP

6144:DX+psoWJ+IvLI7BziS3qoJGd2Gegu8JKSFGbJ+7+3LdfoPZmxMcVp0K:ymoWkI094og2GXfJKnbkS3LdAPZkiK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	afbin.exe

Executes dropped EXE 2 IoCs

pid	Process
3124	afbin.exe
3404	ymfaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afbin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymfaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe
3404	ymfaz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3124	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	82
PID 4432 wrote to memory of 3124	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	82
PID 4432 wrote to memory of 3124	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	82
PID 4432 wrote to memory of 3524	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	83
PID 4432 wrote to memory of 3524	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	83
PID 4432 wrote to memory of 3524	4432	3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe	83
PID 3124 wrote to memory of 3404	3124	afbin.exe	94
PID 3124 wrote to memory of 3404	3124	afbin.exe	94
PID 3124 wrote to memory of 3404	3124	afbin.exe	94

C:\Users\Admin\AppData\Local\Temp\3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe
"C:\Users\Admin\AppData\Local\Temp\3a07ae8d918baa159685c01ccbdccb2bea013853750077f65a5fe42899b88fb9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\afbin.exe
  "C:\Users\Admin\AppData\Local\Temp\afbin.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\ymfaz.exe
    "C:\Users\Admin\AppData\Local\Temp\ymfaz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
78f47388097637dc36a03eb0f91cf1e9

SHA1
7d848495dec21d8cccd61db29eb400f0af26dc54

SHA256
70ce25405e3c247fcd17bbb2182af5beed555dd5f7be268cf1e150faa9b1d5ff

SHA512
e558a1b1dd967f768b6d773275db87c994f6201762999f6abdee189dcf0b11bd8d86ab944ca33b44909c5308295962a1f42bff2a5f35af9520a97b4f4251af3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\afbin.exe

Filesize
327KB

MD5
01eaca2bba47df435e52718004f1eca6

SHA1
ef239cb968353859de3602913bb117245c45bb18

SHA256
64a6377c0df87cb201928d192b77c4c14f25be6f23faecf33f9c1b3f7772d0bc

SHA512
7d26b18cbd38bd301b0624bb69180176a500a754ffa4d72382f165bfd261edd6bcd75d814f89329334026e882015aebe43292acb71f295998ac718d99ee38384

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
014b178886b27c1d68a263d6e2f837e2

SHA1
e81ed75652f74e89d979ece7875b24615cc3f5d7

SHA256
aedda3f285a4045ed2ccd604a2aab3875feb151820cf592e3b0c3c1169e8301c

SHA512
cf24182e9c5a47aea64643a06d87cbfe9cffb04dc566d54796ce1f2a0d7fe1969799c17885727ef884c1354126a8a77d8c099085092e288b60c4ee3dfdbf37c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymfaz.exe

Filesize
176KB

MD5
72fda6ffdf90f9dd63830a368ca0be15

SHA1
ac3bb614a8625b26f0a1cf0a79b4451064884e1b

SHA256
ec0e9eacaab147fad845404edc1d5f86ce1087667c4d6aa3ade0cf4a3b96c87e

SHA512
7f081f25c69c7bbcb5886763aa930941660e961f0643bbc988f8685c1495d41d7916dbe49eb44d23b659d66c83ce2522783b493d8d1480be559114ff88d73bf2

Download Submit
memory/3124-13-0x0000000000CB0000-0x0000000000D7C000-memory.dmp

Filesize
816KB

Download
memory/3124-37-0x0000000000CB0000-0x0000000000D7C000-memory.dmp

Filesize
816KB

Download
memory/3124-18-0x0000000000CB0000-0x0000000000D7C000-memory.dmp

Filesize
816KB

Download
memory/3404-38-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/3404-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3404-41-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/3404-40-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3404-42-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-0-0x0000000000290000-0x000000000035C000-memory.dmp

Filesize
816KB

Download
memory/4432-15-0x0000000000290000-0x000000000035C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing