urelas | 6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe
Size

411KB
MD5

90f7645067bab47bfb263db2a1ad0591
SHA1

82f633efbe797f07647e0fd81e8dd73df9f2dd65
SHA256

6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83
SHA512

1a16c4f4191d3a736e571302a1e003eef19bc82b2b325942c1fd887ffb77d5775a2d72b577403a4018664f38e55ef10bcf365d186ee0f520d9a2508aeccae757
SSDEEP

6144:bS5XDCmayv02xs7PCt43A7qFqYeAbU9CIxxqbFG9hTRzBSAyiwi/BEku0R72Wqgi:sZmC63nFNerrbqg/N0Di/U0lqgZLo1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	gurox.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	gurox.exe
2880	vifar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vifar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gurox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe
2880	vifar.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2688	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	84
PID 3192 wrote to memory of 2688	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	84
PID 3192 wrote to memory of 2688	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	84
PID 3192 wrote to memory of 4088	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	85
PID 3192 wrote to memory of 4088	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	85
PID 3192 wrote to memory of 4088	3192	6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe	85
PID 2688 wrote to memory of 2880	2688	gurox.exe	104
PID 2688 wrote to memory of 2880	2688	gurox.exe	104
PID 2688 wrote to memory of 2880	2688	gurox.exe	104

C:\Users\Admin\AppData\Local\Temp\6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe
"C:\Users\Admin\AppData\Local\Temp\6818d46f3f792d723180c9904c4b8ba602beaae6c99884ed78362a4718552a83.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\gurox.exe
  "C:\Users\Admin\AppData\Local\Temp\gurox.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\vifar.exe
    "C:\Users\Admin\AppData\Local\Temp\vifar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b47564c7113cb44cd031c90ed627550c

SHA1
b6d219429dd55d550b2abed8f8119e4462464598

SHA256
6e37bc8aa0b60dac395a42880c5d8696af3608b8d29359d9f54af1e042a152b9

SHA512
a6c1097e62fb6a449b377909f5c3913e5d7ebc05294546f3e2688eee1d265cd28f5f46a6febad25bff7dadd2706a0b4b02b1d9c65fa05059a5c70d4d7bf6b852

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
393e2f3bf7b02509d914fb465ec766b3

SHA1
c55e363f9740e8a2c7e4862dd3343dadfc1fabed

SHA256
2f9f1e7a1f75c767600e42836572f085d96ab162a3956dd0467032b874f1eee3

SHA512
5a182ba06dd57b73bbb4a9d9840e5ba58cb4aed68680fcf6168f7b246790deca84f8460c1bd123cf4595df7ae382e6ac583b66bcf884e1f3b9e80d5eaa01c0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gurox.exe

Filesize
411KB

MD5
7eb3e6a36002d294cd9d1c3029dce045

SHA1
b49486b8c791a24cd7a6f445b40f5bb420dd30e3

SHA256
9fc599e4c4ff22f91b2711d4c42dafc9c8e23c81a5bceaba02bceae8a584587b

SHA512
61c29daa74d831a12eecb452859b976df101dbd8df0755da1873fd18c51f1af3ebb504fd2b3a62fd510d4144432941bcd15a273690f8858ba13780edc69b508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vifar.exe

Filesize
208KB

MD5
df6dfefd147d877dc0fdeb9b76b73e90

SHA1
e16e6b285904a72239822575d65b3cdfa3a68d37

SHA256
f338dc888c5b02c9a82275db3d0fc208853c9b9dcd823dda99c91e084ea1f412

SHA512
e106c6e38a4dd3964e2b546b0ed20db1a743172f137b7e0675663fa90af585a95cf317fcb2fce1e3194e52b2eb71c7ad23b4463e5b19b22a841ed7ce034fde1a

Download Submit
memory/2688-20-0x0000000000560000-0x00000000005CC000-memory.dmp

Filesize
432KB

Download
memory/2688-40-0x0000000000560000-0x00000000005CC000-memory.dmp

Filesize
432KB

Download
memory/2688-15-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2688-10-0x0000000000560000-0x00000000005CC000-memory.dmp

Filesize
432KB

Download
memory/2880-42-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2880-38-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/2880-37-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2880-43-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/2880-44-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2880-45-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2880-46-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/2880-47-0x0000000000CF0000-0x0000000000D8E000-memory.dmp

Filesize
632KB

Download
memory/3192-1-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3192-0-0x00000000002F0000-0x000000000035C000-memory.dmp

Filesize
432KB

Download
memory/3192-17-0x00000000002F0000-0x000000000035C000-memory.dmp

Filesize
432KB

Download