urelas | 5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d

General

Target

5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe
Size

94KB
MD5

a902aed6f605f8095c90b0a944ea6ee5
SHA1

d83d3b1b6169ab42b3676ab0bd3ece3608a8b9a3
SHA256

5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d
SHA512

2067dfd375897841f2202dca2e1b43df9109aca0c7429830479e0f3e91dee96dd232ce286fc97ccbd9f9953c148ed5fec7992287a81ad2ef99c3a7afde992aa0
SSDEEP

768:tp0ti4HnnhtwYbJy6rioyelmd1TzulQEDDPOwc5n5uNCT/jhhLBxQIwqepJZU9mG:tWzhtJbUgHoADDIx1hLfuJrG

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2868	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	30
PID 2316 wrote to memory of 2868	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	30
PID 2316 wrote to memory of 2868	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	30
PID 2316 wrote to memory of 2868	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	30
PID 2316 wrote to memory of 2724	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	31
PID 2316 wrote to memory of 2724	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	31
PID 2316 wrote to memory of 2724	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	31
PID 2316 wrote to memory of 2724	2316	5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe	31

C:\Users\Admin\AppData\Local\Temp\5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe
"C:\Users\Admin\AppData\Local\Temp\5a662aa053778f05eb91432197fc0331dc0a887bfa4a8bb2d2534cad217d4f8d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
16c2bcf1dae729c5cb36a1875efe354c

SHA1
775fbf4b6a2e5bc033b86cfc0893250b5d387a45

SHA256
796a881d71234f7fcd9f5220c6e5674e231610bbf37626d9e5b79dc3268b7bb4

SHA512
d8bd6cb6cb6ccd3c2cc40edde9cd3e8c09d1ae55c21ac1896325c324c08507e68c16d3864923806d29db79c57b958dac68e43bdcf809c0a2c8b5b0a7b8557177

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
5aa628668e5a2e652621f00e8902af26

SHA1
d411fb03651919743f1f3b1afc264b5ddad02dd3

SHA256
e0edd14add836ad29528d0165a95fb2aee78147eacc46d7fd41611e9d8e04a45

SHA512
7986227cdef2a9537220aa10605a9b136ecd8db98ede30cd6f90825ad2622ac38e19a5eaacac3230438a3ffe521decf99a63936c4ad8b1704d664bf6d652c668

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
94KB

MD5
800764ac08afad03e98ef783ed5e1edb

SHA1
f23a867f47bab0e94857ed318a7e5c1face2567a

SHA256
8429a435f1061b65eb8050f8cc840e528bdf34c41f2cadb9e342370ac03cc8d7

SHA512
920fdf7b4573282103612dad2bed6c90d9ed2bd035393a9c99ced04c9c431fdf5b1e753c820bc0d241e95d25b2060c763996c2e764fc9a24ed7cd5c1e3ebe5a7

Download Submit
memory/2316-0-0x0000000001260000-0x0000000001290000-memory.dmp

Filesize
192KB

Download
memory/2316-18-0x0000000001260000-0x0000000001290000-memory.dmp

Filesize
192KB

Download
memory/2316-8-0x0000000000ED0000-0x0000000000F00000-memory.dmp

Filesize
192KB

Download
memory/2868-19-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/2868-22-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/2868-24-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/2868-31-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing