urelas | 054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
Size

506KB
MD5

abebef90eeaca5e12766b4b318c379a2
SHA1

614d5dbf8251213c64072690449fb18b91e2cf52
SHA256

054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522
SHA512

da2da22f747c00f0e6d6c2cb9f604576455ae7c6be72010b51d8400d2702a05eb08f1499f0231c6ea0d557b54557bd8178e948abd381a162219d0dc30c65d1f3
SSDEEP

12288:ndBNKTCqqwXCcdgT89+MvA+BisqYpxHtp:nLjQC+fs0j

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	sivyt.exe
2620	fofyl.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
2536	sivyt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sivyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fofyl.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe
2620	fofyl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2536	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	30
PID 2760 wrote to memory of 2536	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	30
PID 2760 wrote to memory of 2536	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	30
PID 2760 wrote to memory of 2536	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	30
PID 2760 wrote to memory of 2920	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	31
PID 2760 wrote to memory of 2920	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	31
PID 2760 wrote to memory of 2920	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	31
PID 2760 wrote to memory of 2920	2760	054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe	31
PID 2536 wrote to memory of 2620	2536	sivyt.exe	34
PID 2536 wrote to memory of 2620	2536	sivyt.exe	34
PID 2536 wrote to memory of 2620	2536	sivyt.exe	34
PID 2536 wrote to memory of 2620	2536	sivyt.exe	34

C:\Users\Admin\AppData\Local\Temp\054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe
"C:\Users\Admin\AppData\Local\Temp\054783035cbfa181bdaf3da8fb9cc69704662dedad83519fe111d102440cc522.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\sivyt.exe
  "C:\Users\Admin\AppData\Local\Temp\sivyt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\fofyl.exe
    "C:\Users\Admin\AppData\Local\Temp\fofyl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3ed292fae746cd695b4bc6f47cb20942

SHA1
b8cb83ddfa3678cafb559ca3acec62ec9edcb763

SHA256
d6afa59f628fbed274d3df486bf09db1b24332800f823336b2d505299878b607

SHA512
08122b34d6002c73e01a0ebe7030d1a7f90b11c1cfb3f9711e61413f32819a4ea6aed5debbae6643764c5f3fadae329261a912b954e88965d9ec1725a665387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f80e7d222fcf7632be85a808e6fa8ad

SHA1
4823ccd3f7d5f982636f7d6b40ca35addc58f7d3

SHA256
ba759ae2175131b463c61dadfda492943917c8296495e59de7f8bdbec0cdb32e

SHA512
adda08b9ff1fb7cf9c7078bd2fa570f5d30704c3dfeba6159f4a88022ce4a4f8dbb41b45b8145c7f02a8d48fcf16c8aee8c22a86e06189da604bed07dcf0e095

Download Submit
\Users\Admin\AppData\Local\Temp\fofyl.exe

Filesize
241KB

MD5
bbb8936411a1f92009e5b4f767686d53

SHA1
e57b1edfdb80e70e52aa9b41c4ad4c9467c87e0e

SHA256
47a7d5fda16322af9b38a653e9499bcffd2bd3dd6338ed6d43c229724ed012fb

SHA512
e07c092206533668047f760b709914093b923f3f7d3d0a7d4f9224c38472b4e8bd461090991c89017a5a16f5b0c6a20e94dcd51fcb3745a69e002f61053338ba

Download Submit
\Users\Admin\AppData\Local\Temp\sivyt.exe

Filesize
506KB

MD5
14864a770d2313b8a086ae6c312e50f8

SHA1
276db81a8413c2bed37444a5b2359a055cd6e59d

SHA256
aa44947d2d33b5215cca5b30ab0e4a20fd95e8d3f68fb2d141874cb1e2fa237e

SHA512
3c14229a8aeebab6b5fdf8a080d95e6eab868146155aa2f26aa47d6a1d293730e0af0df63b29a6e2aaf991d65a5f97ce4b0d5ac577cee6c96e97997a3fddd251

Download Submit
memory/2536-24-0x0000000003D20000-0x0000000003DD6000-memory.dmp

Filesize
728KB

Download
memory/2536-16-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2620-26-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2620-28-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2620-29-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2620-30-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2620-31-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2620-32-0x0000000000AC0000-0x0000000000B76000-memory.dmp

Filesize
728KB

Download
memory/2760-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download