urelas | 94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Size

336KB
MD5

19b406150aae970923a4e9bc42c66055
SHA1

4e9391aa9520c698034cca8a91327ddd600e5a33
SHA256

94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514
SHA512

f21ac5c482a4089248f113e3048b71c977764a53c2d962ccb4dc81475be4533d32bf496d776f5a9bc806281db5a6db5bb66e045a54047ad550d2cb81553bd1c6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoH:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1436	ahkey.exe
2148	fehuj.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
1436	ahkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fehuj.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe
2148	fehuj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1436	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 3060 wrote to memory of 1436	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 3060 wrote to memory of 1436	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 3060 wrote to memory of 1436	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	30
PID 3060 wrote to memory of 2292	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 3060 wrote to memory of 2292	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 3060 wrote to memory of 2292	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 3060 wrote to memory of 2292	3060	94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe	31
PID 1436 wrote to memory of 2148	1436	ahkey.exe	34
PID 1436 wrote to memory of 2148	1436	ahkey.exe	34
PID 1436 wrote to memory of 2148	1436	ahkey.exe	34
PID 1436 wrote to memory of 2148	1436	ahkey.exe	34

C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe
"C:\Users\Admin\AppData\Local\Temp\94a7223f69d8c1dee43a0ad6df2f3529e59c0856e8e7d9e7adbc48df9cf19514.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\ahkey.exe
  "C:\Users\Admin\AppData\Local\Temp\ahkey.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\fehuj.exe
    "C:\Users\Admin\AppData\Local\Temp\fehuj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a50f54bc29a7cdfb931e2bf8607a518e

SHA1
8b117c06e00f4d79b128f8367d6900d999e971cc

SHA256
84cae3b8371c6af45250f3a8eef7cba289acc45afc0c810acbaf4efabf9b48df

SHA512
be6afa81df2fc657bc6fa3978a6784fe16f3e6393b264b34164eff8f77794a0e34bf894e38dec5cc1c22138d65099053c0848839d87d46c4d4701b363c1fd322

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0b4ad947719aa474fd92268fff57424c

SHA1
5ab8c9f4fc91cddc0abd5def91ddc13adee86318

SHA256
d54cb73295192a18ade7974f1c75481b311b826b9cf78e393dc6f8b32c78b992

SHA512
c687bdc6750ce624e05f7d29bc9aaa8f85b64b075772032a33b777022969c97fe7d2935747f2c91f11e501fdbd7439034827ddd39bcbbdddf1a0f7ff6a0ae8b6

Download Submit
\Users\Admin\AppData\Local\Temp\ahkey.exe

Filesize
336KB

MD5
cf97c9c502bad68c2ae2d631ba1fa0a8

SHA1
0b5f609a888f99e0877f431cab89c47dabdfaea8

SHA256
34a72b1d158700fe986e75e0223d4975d95c20470480daab630b50094a2cf281

SHA512
bf1cd2ce39f0f44c23ae9977a157d8984ef2955d94ac33d19c6b25a2c2955a126bb622784a4af2e6fc965fd54aebc82bb5545fd4f0187c7a9308fd65e5a440ce

Download Submit
\Users\Admin\AppData\Local\Temp\fehuj.exe

Filesize
172KB

MD5
258f475146db5d3502e7efdbd871af10

SHA1
7c1e0939762ecd476b5d7a1b07e83e18cd2bf4d6

SHA256
fa3f57ddbdab1929b4bb916c5691afefe42ae3b8ea2651273a8f979b596f7448

SHA512
ce5c30ea0227ce718b786b1a23ce78febe97350f1d56d11627100d6c0b78b5475bbe0de5e62bfa2a2342888900b6becd3be34a251fa53defe495a4819ee3ead9

Download Submit
memory/1436-39-0x0000000003280000-0x0000000003319000-memory.dmp

Filesize
612KB

Download
memory/1436-24-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/1436-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1436-41-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/1436-17-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/2148-43-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-42-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-47-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-48-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-49-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-50-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2148-51-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/3060-0-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/3060-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3060-21-0x0000000000210000-0x0000000000291000-memory.dmp

Filesize
516KB

Download
memory/3060-16-0x0000000002260000-0x00000000022E1000-memory.dmp

Filesize
516KB

Download