urelas | 808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06ab

General

Target

808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
Size

593KB
MD5

a620bb4108679de3918a72f658aea8b0
SHA1

55d20fe7e10f07a0b48c3d9cb00a1fc92e188ce9
SHA256

808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06ab
SHA512

5efd7e4149934370f59760ee48711dd8a85a8001af732d4eb0980ab4a25a0d90f26c07340bbba2ed9fae4b44d8b638756466ca3a989c96eda63f220322292611
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRf:C4jm0Sat7Az/gZvTIq2WKkw0Fp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	mufok.exe

Executes dropped EXE 2 IoCs

pid	Process
1556	mufok.exe
1336	ijdoq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijdoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mufok.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe
1336	ijdoq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1556	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	84
PID 3532 wrote to memory of 1556	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	84
PID 3532 wrote to memory of 1556	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	84
PID 3532 wrote to memory of 4812	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	85
PID 3532 wrote to memory of 4812	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	85
PID 3532 wrote to memory of 4812	3532	808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe	85
PID 1556 wrote to memory of 1336	1556	mufok.exe	96
PID 1556 wrote to memory of 1336	1556	mufok.exe	96
PID 1556 wrote to memory of 1336	1556	mufok.exe	96

C:\Users\Admin\AppData\Local\Temp\808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe
"C:\Users\Admin\AppData\Local\Temp\808d3be3c59d782d2ee29ce643f1b769292c848a8c3043ff5c1e2fd1719b06abN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\mufok.exe
  "C:\Users\Admin\AppData\Local\Temp\mufok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\ijdoq.exe
    "C:\Users\Admin\AppData\Local\Temp\ijdoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b2ca20597b46f2aa51506d6f52aecd83

SHA1
84795bf4163ce464b114888910e4d1d6e1335b6e

SHA256
0d97fe0c3b4fc39d4cd8350414d0f8ca94f09b57efca41fb206df799e4792464

SHA512
fefcaee182efc5758307647200fa4e75a8709559d2fabaf2bbad1d93f5d492b7c02944ce2fc41a4844347c763990989d0f4bd8095e55c7bd0e7371b42b68b0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b88759c0c580ad12cbdaefa7864392d8

SHA1
9747b338724935752f271619672493f2c9e26e79

SHA256
347b21b09345a686f1afff2f14ef2bee713fc7943ab5292a1f72f687fbb16504

SHA512
1cd6b3edabc0268f9202f4901c710aef315c61136b7833a1441decc4c3077581b337413b00ee9ce6f6a814df004de209f24d405dbebb3e1fe37c20b18acf7267

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijdoq.exe

Filesize
323KB

MD5
a4c2d5514a610a241efa862bbfc6b6c2

SHA1
81d455f31d638526ac665f310f2581c147ee521a

SHA256
17bbb2fc1bf7f1ffc9a38a8eb706a74a83cffed90d843b84886dfaf6b5865fd1

SHA512
1ea0148e764e89256ebfa7845360e06de4e6d7576fbe683007b2c23744e2e87ecb5daf7460461abcc37ab465418e8fcf38337ea7ca1f4200fe283515ba9da61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mufok.exe

Filesize
593KB

MD5
a63c8890f558055a78710ed78b6b445d

SHA1
d243bb654e033d7bf305a66eb6c5ef2e62a768ec

SHA256
d213c360d701ba833e8d2def56dffb00e5b2192fb18a8de9ee43cbe039a028a6

SHA512
f312c64120a9b70c8cb0df6c45b2cf2945243330e9bba6aeaeb99234b4cb0ac8e6199f03d365180517343bb736d683bee41a72a1c4ec8a7b916d9719563af785

Download Submit
memory/1336-23-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1336-27-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-28-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1556-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3532-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing