urelas | 42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098

General

Target

42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe
Size

59KB
MD5

36f26fcaae5cf8d3aa97fe7cf9f0b633
SHA1

d80e1ac4b25d6e1ea8b961fd5f2ec8438356bfef
SHA256

42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098
SHA512

f88cff7f310671a9f6efd3047b9652918cafa3d2923a067c574c15f3d753e42951f9870d8f4a9216354a29096acd01bcc27568a16fc882a92de7b90426afbda5
SSDEEP

768:jb4zb59Yix/RoyH+5flZirYqc97vFvrpaZG3DHvTdA9GgnOuS5Z3WXcKIZx5uDZ:jbQx5oPsr2vFxDPhAvzgdWLIZ7yZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2492	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	30
PID 1292 wrote to memory of 2492	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	30
PID 1292 wrote to memory of 2492	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	30
PID 1292 wrote to memory of 2492	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	30
PID 1292 wrote to memory of 2464	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	31
PID 1292 wrote to memory of 2464	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	31
PID 1292 wrote to memory of 2464	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	31
PID 1292 wrote to memory of 2464	1292	42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe	31

C:\Users\Admin\AppData\Local\Temp\42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe
"C:\Users\Admin\AppData\Local\Temp\42a51a26f5d4e9959db0b228fe7a17247f8572902056814d7fc09e93229bf098.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f02bf69ff6351970bce3b50742a769ed

SHA1
577db2279b6489628583d770f441f3316ff2a560

SHA256
df6e69fc42308fb3e8b6ec778c1ba6afa4ec11d0414c86299df8b573a51f13c0

SHA512
42a7fc0af80713ece991b51ce908444414162de5cb704d1e538794db7fca217fe3d9bfde19d7661f62ccd1d8ec3de362675094f364daf48624ace9e9e2239979

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
a24d9bdbd3aeff6356f5c8671cf20eae

SHA1
d8aaaf3a9936c01bfb389fae3cd73ef6c82a3696

SHA256
9a79179a5b6cafdff07668da12fc3a9870328bfa4b81047bb7bdd04d29180719

SHA512
ef9c4ae996eb7fc5c9e3a40506a3c2e55938345fdf42501184e5f4f9f6460ec372e5887a73a3e8dd8e190c1412eeed0e82c725d463dce4bb670c26c509df0c5d

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
59KB

MD5
a5c61c2126ac8c88f4c447ac5d43c1a0

SHA1
24759965187847a9319ed0f0001cf9aad12cee86

SHA256
31c441b8dc2627a5baca725be38d0de2c985b84bb64df6c98d82e79f8f55033f

SHA512
936aa4bf368825423024112f292469aae7a43f52c7cde2ff030d84f3c8407b23eba135a13ed9c3a2d420f4cb80a3a86c275c414cb3f156dc3bf5cbe4039df121

Download Submit
memory/1292-0-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1292-8-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1292-19-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/2492-17-0x0000000000D10000-0x0000000000D35000-memory.dmp

Filesize
148KB

Download
memory/2492-22-0x0000000000D10000-0x0000000000D35000-memory.dmp

Filesize
148KB

Download
memory/2492-24-0x0000000000D10000-0x0000000000D35000-memory.dmp

Filesize
148KB

Download
memory/2492-31-0x0000000000D10000-0x0000000000D35000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing