urelas | 3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2

General

Target

3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
Size

336KB
MD5

a1246170ccb42139318a969ff4076a48
SHA1

3d745e381c7bcec28799299b36c0350468e67916
SHA256

3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2
SHA512

8fdc34d068efc06cab9653b9d7df49ad60d2980acc1731b4b9ddefb1f84da9971657c7d3bc5509d9dbf6ee3b0185c838115c11247caa4cbedb68efa75ed461ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKofw:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	uvbet.exe

Executes dropped EXE 2 IoCs

pid	Process
3572	uvbet.exe
4380	waywr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvbet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waywr.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe
4380	waywr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3572	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	83
PID 4536 wrote to memory of 3572	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	83
PID 4536 wrote to memory of 3572	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	83
PID 4536 wrote to memory of 4056	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	84
PID 4536 wrote to memory of 4056	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	84
PID 4536 wrote to memory of 4056	4536	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	84
PID 3572 wrote to memory of 4380	3572	uvbet.exe	103
PID 3572 wrote to memory of 4380	3572	uvbet.exe	103
PID 3572 wrote to memory of 4380	3572	uvbet.exe	103

C:\Users\Admin\AppData\Local\Temp\3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
"C:\Users\Admin\AppData\Local\Temp\3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\uvbet.exe
  "C:\Users\Admin\AppData\Local\Temp\uvbet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\waywr.exe
    "C:\Users\Admin\AppData\Local\Temp\waywr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c6ffa1886e4fb80512dc295bd920ecbc

SHA1
934851d66d387eb58a4f03b5e4d37d5863a4b4f5

SHA256
a1b5496d280a7d1de2c1eeccd0050e77ebaca75afc0977f3ccee9d743e36a8fc

SHA512
720a8d3997d192d0809852dfb7f99e17945cf58384d50b668a666dc094f5a7d6829ba9d90571198b4b5e9025f82c8bac7a6bca604cfa8c2c5a7aed2395b14a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
907ece42ea1caee818bc3cc768bb4745

SHA1
ce1ddf915407b4270c239111e79eaf116537ba36

SHA256
03dec522ca3e11b902b4c86f1ec7946a1cf73a57eb648179e963811d2fce574b

SHA512
df34cd31c36e9ece994c715cafa57a69a5823bdc03df3e0e96739b31254783ee1fa43e39d61acd878ca9fd9d3d04de4595c42be2466fb926e5e593aeb2249809

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvbet.exe

Filesize
336KB

MD5
36d476b9676203bbb0408fc2862e47c1

SHA1
3873b814515986baef6b0a25f30cad15af60cbb8

SHA256
e78c9c559594d72a411e3bd72376ff1ece902a6042aa69057de55690130e88fd

SHA512
cd2afd17bee4fb949354f3a4d1a44953dd84d2f4255fa98f9dfe5a32834319c8888d1752709501f0678d967d056d6450d6f0c9e69b0ce35548052625460f93f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\waywr.exe

Filesize
172KB

MD5
a90eb9ef71fd5fe7c0fd5a0b64d4e008

SHA1
4ce4bacba3d967723211ba54b8d5df7101fecaba

SHA256
eab651083f1467c0478f55c10ec96479a0cee897798c5412eef0a0889052a999

SHA512
4aa8be4a664a2180f7a9d77dc5f2c69e3edbf6ace4b4da25f639c82d80513ee4f72ddfdf02245918cd82244ae25f67ea851d4822c4e78df45ba3a7ecd13696ad

Download Submit
memory/3572-19-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/3572-13-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3572-10-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/3572-37-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/4380-39-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/4380-38-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/4380-40-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/4380-45-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/4380-44-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/4380-46-0x0000000000060000-0x00000000000F9000-memory.dmp

Filesize
612KB

Download
memory/4536-16-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/4536-0-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/4536-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing