urelas | c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83

General

Target

c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
Size

438KB
MD5

a435c20480499e11de72ea7a4096ce20
SHA1

0c903fcac0c9536f185d4eafa4d7a7d1a067dc87
SHA256

c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83
SHA512

a4d7213cf27f7e5aef254382a3a8d16afc7849346a3be8d7b73fb2ef1dc0ec05fb75175ce716ba31843dd69d369519076b9915f2d94f6c36e9a68d5d56ff519e
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMMG:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	folor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	folor.exe
4916	tokum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	folor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tokum.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe
4916	tokum.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1408	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	83
PID 628 wrote to memory of 1408	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	83
PID 628 wrote to memory of 1408	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	83
PID 628 wrote to memory of 1028	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	84
PID 628 wrote to memory of 1028	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	84
PID 628 wrote to memory of 1028	628	c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe	84
PID 1408 wrote to memory of 4916	1408	folor.exe	105
PID 1408 wrote to memory of 4916	1408	folor.exe	105
PID 1408 wrote to memory of 4916	1408	folor.exe	105

C:\Users\Admin\AppData\Local\Temp\c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe
"C:\Users\Admin\AppData\Local\Temp\c89875b9f39b23e39fe4fb2f1a0ca19e1ebee51ed753544c00b52ae927952a83N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\folor.exe
  "C:\Users\Admin\AppData\Local\Temp\folor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\tokum.exe
    "C:\Users\Admin\AppData\Local\Temp\tokum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b3525d875901ea299860b9136fabb162

SHA1
f49427a03d79a323489ee2bd4ef30db020e323d4

SHA256
1f3cde0d55bfacefce9d2a030892904fcdd5213c6d0f45759d62bed330fcef66

SHA512
d636b39de769d5ff8ea06567482dad7c35647c5fe944fe248adbc3b5355730f29c51787b95b71f398a77ee06b1f1c2c1ed82b89493cdfdd014feb40f58c8f3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\folor.exe

Filesize
438KB

MD5
c7593906da8aead5ce16a6937e5b3db7

SHA1
dec38fe3b69ebf26c9f427089dd06b25518348cc

SHA256
54ab238a593301be569c7cf52801395248daf371b23d18874b719dcabd43ac93

SHA512
b303354babbf7f515ea93c5965643c0456a90494ec45959c995d040363cefd99564e7ac2c8f64f9a6fe2080f3baff9ae1169ac326498a690f1e8c2af383e0f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a1ce60b59b37e80a8fa4df0f673b72cd

SHA1
6df29c743d725e3ed23a031ed46f6342178d2b91

SHA256
2fe190d62ea486fd32e7647f65749d09f3bc9f1445864ca9e3274de3065dfc87

SHA512
0c73dc042c5a6dbd1985f1b4209f4452277998ee2ce479dd2acb8d34f45b7603ba2ed107c18ec795a9113763e8c714ddddec6761777a193ed62d0ea291e3ced3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tokum.exe

Filesize
230KB

MD5
63e326010a39475e0e871d0521caa380

SHA1
258907502608b71d9a10d8c20ecde77449b9bc85

SHA256
4c4fb30b5ab1a947d4ef4b305c1b3910e7b2ec160a6312642ce11a709fa49a41

SHA512
71753c3a2f8589f764f1e9cc3a35b396a50849f55787d87ee4deae505b1d9604f8e22c04dfa9a966c3cbb426118271caeffdbdb30425f51e2b7d0eb84902f425

Download Submit
memory/628-0-0x0000000000E00000-0x0000000000E6E000-memory.dmp

Filesize
440KB

Download
memory/628-14-0x0000000000E00000-0x0000000000E6E000-memory.dmp

Filesize
440KB

Download
memory/1408-17-0x00000000006A0000-0x000000000070E000-memory.dmp

Filesize
440KB

Download
memory/1408-10-0x00000000006A0000-0x000000000070E000-memory.dmp

Filesize
440KB

Download
memory/1408-27-0x00000000006A0000-0x000000000070E000-memory.dmp

Filesize
440KB

Download
memory/4916-25-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download
memory/4916-28-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4916-31-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4916-30-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download
memory/4916-32-0x0000000000870000-0x000000000090E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing