urelas | 59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7

General

Target

59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe
Size

76KB
MD5

f2bc391f02e9589972e233b10db8e9a0
SHA1

d4c7c8909e6e107d6b81a5fa006e90962843e511
SHA256

59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7
SHA512

02e062a9172a1fd4a5755a5c5183b7c6f59e8761977ae1652f4a27bb0a5f46750f41b3384acb6e843da792f18ea05da0f393e18e6808d9d7d3e48fc31a9ba2d4
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITZ:Tk8yn7KdmTINQXzz46

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1960	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	30
PID 2416 wrote to memory of 1960	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	30
PID 2416 wrote to memory of 1960	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	30
PID 2416 wrote to memory of 1960	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	30
PID 2416 wrote to memory of 2412	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	31
PID 2416 wrote to memory of 2412	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	31
PID 2416 wrote to memory of 2412	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	31
PID 2416 wrote to memory of 2412	2416	59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe	31

C:\Users\Admin\AppData\Local\Temp\59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe
"C:\Users\Admin\AppData\Local\Temp\59728919700593b0d3448a4efaf3356da0d57e085ab9bdc0142bfaf707ec80d7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
8c717a8587c9d6249019cf0301a65ac4

SHA1
072d63c3648a323b62c0ea2ca813ecb51a155f5e

SHA256
d6b158c378cfb3dd82c78bd156b5e3335f1b72bf2f2a38d8f39a519bfcb56deb

SHA512
68fe471e304353e34a5b84807d89ad55b4711cd1590f322e6def7f40da25f8abb4c4f2770a84b5fd369494d9078733e2d5a3db3ef4347899a7603e8c371c7861

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
e238e3f1b3dff40e9e20e0470bd676b7

SHA1
49ef7c412c54109268270a61a96d3bcd20486c70

SHA256
20779d0f29d6561b85309301e9d1365a438dd7fd43dbc6091fc711300a87bb8e

SHA512
8e05d7d3984d054812ed8660089bacfb0975e292e3768e942d33f245b9948a873a56fa35917497c6ae63686347c14cf2ba6d1a088677d38a2b41e6a2f8a15e7b

Download Submit
memory/1960-10-0x0000000000050000-0x000000000007F000-memory.dmp

Filesize
188KB

Download
memory/1960-22-0x0000000000050000-0x000000000007F000-memory.dmp

Filesize
188KB

Download
memory/1960-24-0x0000000000050000-0x000000000007F000-memory.dmp

Filesize
188KB

Download
memory/1960-31-0x0000000000050000-0x000000000007F000-memory.dmp

Filesize
188KB

Download
memory/2416-0-0x00000000008F0000-0x000000000091F000-memory.dmp

Filesize
188KB

Download
memory/2416-9-0x00000000008A0000-0x00000000008CF000-memory.dmp

Filesize
188KB

Download
memory/2416-19-0x00000000008F0000-0x000000000091F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing