urelas | 2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953

General

Target

2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
Size

336KB
MD5

ff1817b08ea77c8c294fbf1049f790dc
SHA1

f21658cb7f42b850e1fc3e93e439748906c79d43
SHA256

2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953
SHA512

adad32955a742b788b893237531065dc1ed9b7d74d2e0579f69c6d06910e630d5b161b3728db2d6cdd8d5ec306ca5a713f1d0c1104f5699062b4f5e6529271ef
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcV8:vHW138/iXWlK885rKlGSekcj66cit

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	gobei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	gobei.exe
2160	rudie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gobei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rudie.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe
2160	rudie.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4764	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	82
PID 1168 wrote to memory of 4764	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	82
PID 1168 wrote to memory of 4764	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	82
PID 1168 wrote to memory of 2784	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	83
PID 1168 wrote to memory of 2784	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	83
PID 1168 wrote to memory of 2784	1168	2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe	83
PID 4764 wrote to memory of 2160	4764	gobei.exe	94
PID 4764 wrote to memory of 2160	4764	gobei.exe	94
PID 4764 wrote to memory of 2160	4764	gobei.exe	94

C:\Users\Admin\AppData\Local\Temp\2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe
"C:\Users\Admin\AppData\Local\Temp\2151a976443effe5246902c82992355931f4705e5ba32f22e154713484a38953.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\gobei.exe
  "C:\Users\Admin\AppData\Local\Temp\gobei.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\rudie.exe
    "C:\Users\Admin\AppData\Local\Temp\rudie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
d9b0232951891b7faff98f26ba025c57

SHA1
10aa402f65ddac3a5009f7c6c55184fd1d3a0a5e

SHA256
592d5682515939e91049f2256fbc892e93543a64c19207ebbb6cf2f774c69cd5

SHA512
06696c7cc6480da54672b6d9a97d432f73a1dce7a062ba54a5c3f54ced7c743447ee8aeaaa825b97cdba771bc3216f469afd50bcaef1415f2543860fa48efea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gobei.exe

Filesize
336KB

MD5
df2324d2d8e440e01d54217bf24a4a0f

SHA1
fc2cbd6de7d9d8cdc3608ea43524c6111b304d5e

SHA256
df2b0dd7ba0b593267603e89ec493beaeaae72591e098b49dc6f04a446af7646

SHA512
2e8784b063bed208dde73e940de8d915721317f09a375d1c74839b3283cb378838aba3093ee4986ea85323fcfd781ed862402235801dc798b0e0863821108d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e5b9afaad820b2520adf555c610d36f6

SHA1
f62653253b340c69023ebc6a2a814179f396ade7

SHA256
e8fe0d5b6f29ba9afc347a3bc45337362f430534d5a501322d39c5a65d085270

SHA512
171a67d1369d54f585845b8e8f7dd1d5b6f118b6d99ea172df755ac6eda4f71c66762f023884824875dbf4c7ce2f518f36b645fa1b046fe4cabe5b058c0d0646

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudie.exe

Filesize
172KB

MD5
198c8a3ee8a311a334113eaa3cd8afc3

SHA1
b6cd9d8274a3b6722498c03e7038372e01c56019

SHA256
1e2825ad35937ec67de931f237c8f19f11a02eca116535207a90b30a178e16af

SHA512
60ed062d2c6789fe732b5ab77f1d6dbb3f5db6ac10ebe6869e714c3b76be53bd4c19ed4dc725f0e3163dcd5d89f90f2df3060e0a4c7826783ec9ef7f6e9e0dff

Download Submit
memory/1168-1-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1168-0-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/1168-17-0x00000000006A0000-0x0000000000721000-memory.dmp

Filesize
516KB

Download
memory/2160-48-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2160-46-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2160-47-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/2160-39-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download
memory/2160-40-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/2160-38-0x0000000000FD0000-0x0000000001069000-memory.dmp

Filesize
612KB

Download
memory/4764-13-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4764-44-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/4764-21-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4764-20-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/4764-11-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing