urelas | 215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c

General

Target

215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe
Size

52KB
MD5

3e66c50da433b2b3295167a4835bb2ee
SHA1

34f2350cb23ad1ee8e51f59c739b56d02a75e3c0
SHA256

215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c
SHA512

db5763acf8f0dbd0d6d4f79c70b11ff148ec38b4f74f27755bf2c489ad0cc76abef81336a8d8d4a0208670a55e1b7dbadce255cbce1d6986e78c0d4007d4ab42
SSDEEP

1536:h+Ds6ClDXuqweo/0khAUnJDgabGsVy6umfFlPhPCT:KsdXfBo/DBJBGzkP5PCT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	shoste.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shoste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2800	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	30
PID 2856 wrote to memory of 2800	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	30
PID 2856 wrote to memory of 2800	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	30
PID 2856 wrote to memory of 2800	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	30
PID 2856 wrote to memory of 2756	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	31
PID 2856 wrote to memory of 2756	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	31
PID 2856 wrote to memory of 2756	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	31
PID 2856 wrote to memory of 2756	2856	215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe	31

C:\Users\Admin\AppData\Local\Temp\215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe
"C:\Users\Admin\AppData\Local\Temp\215ba9a530cc9f6fa8a9768a33d9723d02919758f0c7ed3544b66e7c30fd4b2c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
0b4b6ad55aaebcc92ab370d97919faa5

SHA1
40acc78c6adcff563837b6187f9e9ec5b51bbe8b

SHA256
dd896ef120a404bd1bbf55f61f4b2bc3d0d1ba38bd432532560d6f8349138aa9

SHA512
39865f6b2126f68cb71a9d8d8c75768031274f945b1708e6b56b76bb97fa69d257589a6e6d2af31f9e4e74b7878239f3cd158ce63d2883033e6af4ed5bf0b736

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
52KB

MD5
9b35581de6a7fd4695e944b44dbff8d3

SHA1
655218b0a1fd2d6f24cb4cbd91e4f108b23d43fd

SHA256
82f1ec56c8b834b6fd82478bc84706a0b9f63dc6a2f7255166bf62bcf3e86172

SHA512
8b7e64748b23bb7efefa98e3762dc53302e9444df7f31e1a5dcb436f6af09ae8a60fb3d3c15e953e9683d4379108d98fd098e504658176d17ba24fbe6fb45260

Download Submit
memory/2800-17-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2800-22-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2800-28-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2856-0-0x0000000000140000-0x0000000000175000-memory.dmp

Filesize
212KB

Download
memory/2856-6-0x0000000001F60000-0x0000000001F95000-memory.dmp

Filesize
212KB

Download
memory/2856-19-0x0000000000140000-0x0000000000175000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing