urelas | a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0

General

Target

a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
Size

337KB
MD5

12c4febe7842f1c68a3f0a9f765fde40
SHA1

1c39ae16432cf448d8658086fb841ac94e56689f
SHA256

a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0
SHA512

4391f4e95ddbde0a2787d4a7ffc6ed6c8149eb65ccd1a0ebf3c4754fbede4588f9825c64fbfa02f57a88d50479f08bbaa792f3d2b40af0894e61d418fb3c6dbd
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcVx:vHW138/iXWlK885rKlGSekcj66ciA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	potaz.exe

Executes dropped EXE 2 IoCs

pid	Process
4284	potaz.exe
2584	revel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	revel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	potaz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe
2584	revel.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4284	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	82
PID 3372 wrote to memory of 4284	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	82
PID 3372 wrote to memory of 4284	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	82
PID 3372 wrote to memory of 2100	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	83
PID 3372 wrote to memory of 2100	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	83
PID 3372 wrote to memory of 2100	3372	a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe	83
PID 4284 wrote to memory of 2584	4284	potaz.exe	94
PID 4284 wrote to memory of 2584	4284	potaz.exe	94
PID 4284 wrote to memory of 2584	4284	potaz.exe	94

C:\Users\Admin\AppData\Local\Temp\a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe
"C:\Users\Admin\AppData\Local\Temp\a41174b04078c6344a86941e2def0f3e60529bd7fcf611ff2b9242d8509eede0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\potaz.exe
  "C:\Users\Admin\AppData\Local\Temp\potaz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\revel.exe
    "C:\Users\Admin\AppData\Local\Temp\revel.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
41181436eec15a9753b0b37c4e591ab5

SHA1
84a8c0fef8872f9f18932359032a350b7d670e6c

SHA256
010cf65b6b97a6321eaaf8750054275c69fdf24e44168fa828ddd3831aa3ca09

SHA512
24d4ad71cdf5b267dc4a92926ecfb3cf2696912da1a0c50224e8a8ec0fcdd2154aaebb5d337ec6a2706d4d25e5710f527081bb1607539e8d48da3fccf1df911b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1f651d959be06c0d96d12ce9fc241e2b

SHA1
225fad230a6a3f0c3c5cce5a2a52728a109f4b60

SHA256
6245c083ebc5d5b1b087b731a5ee32373a4b659944a65b51e58c94302b3274c7

SHA512
ccbe5d48a0422ad8577d9d77d9221a5c966fc289a96b91d19c21cad5bdda4e5096e78b8abe26e8c6b3ba9dcc6ac8222bf9d7761849182b12ab525694a34db2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\potaz.exe

Filesize
337KB

MD5
c5febe579b1797f216a1374d3b0ba694

SHA1
5028448e7f14ba23fd5bac7343fed66577bfe08d

SHA256
30c8de672945ab1ef2b3f6e1653512dff069cbcc10d2924f3858295e1e18f138

SHA512
434cbdfe9e6d83337645d697473679c9c3aaa407b37e72a74786efadf58da1c9b62ce6dbd6eafa2c24f3814e0c857c72046d9a3b4f8e314eef90a8f95085daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\revel.exe

Filesize
172KB

MD5
98aef40fb5c6e24847425f5c01ca03cf

SHA1
fb7e1033e83fe5c90aea3a6df040c42315f43ad1

SHA256
bd2b0f27071cb73bf56000ccb5f7e9747ebae347e592f367e23af78ef93f4aab

SHA512
d1ff710977ce67dab17b682241febb1bd1ce9c3edc6dabd7cb604c491228e64383c8d675a93a6fc04ad995a91b22c2af2eb7d21ebda56685a33659dd4d3640b5

Download Submit
memory/2584-48-0x0000000000510000-0x00000000005A9000-memory.dmp

Filesize
612KB

Download
memory/2584-40-0x0000000000510000-0x00000000005A9000-memory.dmp

Filesize
612KB

Download
memory/2584-46-0x0000000000510000-0x00000000005A9000-memory.dmp

Filesize
612KB

Download
memory/2584-47-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2584-39-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2584-38-0x0000000000510000-0x00000000005A9000-memory.dmp

Filesize
612KB

Download
memory/3372-17-0x0000000000E40000-0x0000000000EC1000-memory.dmp

Filesize
516KB

Download
memory/3372-0-0x0000000000E40000-0x0000000000EC1000-memory.dmp

Filesize
516KB

Download
memory/3372-1-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4284-14-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4284-44-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/4284-21-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4284-20-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/4284-13-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing