urelas | 8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4

General

Target

8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe
Size

76KB
MD5

52a8fcf99b8eadfd68b8f8a4e3f52df0
SHA1

c8e7c9a9a6489f23ad9721f1b9bc05d4070414b0
SHA256

8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4
SHA512

51d377308f0a9324d6607dd1e38b4b4ff5101e9e6c585de230195667a93bdbfa5f5903c67dc0bb9e6972987b08f2fed4f5cd10d1a10648e8cafd339f8216c426
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITp:Tk8yn7KdmTINQXzz4a

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2704	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	30
PID 3040 wrote to memory of 2704	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	30
PID 3040 wrote to memory of 2704	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	30
PID 3040 wrote to memory of 2704	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	30
PID 3040 wrote to memory of 2640	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	31
PID 3040 wrote to memory of 2640	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	31
PID 3040 wrote to memory of 2640	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	31
PID 3040 wrote to memory of 2640	3040	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	31

C:\Users\Admin\AppData\Local\Temp\8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe
"C:\Users\Admin\AppData\Local\Temp\8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
83df7084d2fb706c5d584812144495ce

SHA1
34a28ba433f5709eb024466c2663100fea7ac79d

SHA256
ca1fb010d9a601fa00ff12ac7421a6e99959a5f89273abf82fc285cdda48867b

SHA512
b9fc79596089c6bfbbb9c2a4a5d9abdd989c81575384e8d3d77afcc5399ba76ff07490bb0f53d1db568164891d6b4d6bd5f1ab9730862d5478a818bfca9694a8

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
c7b7d571d7663a1e500d0221777dc9a5

SHA1
b97cc6275360bc2ebe81763c9cae8d77e3c28be5

SHA256
95c13af4bc37701d55933521725ea66a4516f33a2f39846f3ad7a05aa516ff4c

SHA512
89cacf06cd39bb8cf8b532347f3968c9aa28046688c2f88a6d8765f019093473d3f9f8f0de53610220076c99c77e75a51da95aa5d6b220d7ed1f183239431445

Download Submit
memory/2704-10-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2704-21-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2704-23-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2704-30-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/3040-0-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download
memory/3040-8-0x0000000000410000-0x000000000043F000-memory.dmp

Filesize
188KB

Download
memory/3040-18-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing