urelas | ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6

General

Target

ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe
Size

94KB
MD5

855f715ebb7b08cca6538de00b3db65a
SHA1

60450d11c65542a96bc0b9652140b3e5577eb03a
SHA256

ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6
SHA512

8d88d7efba1f5d485789e15f95ed519d6e3e5a6dc3cd4ab5132c1bd9f4d6b2573470bde63f1ca4ea446bb72510e907855f2177cd49b048a9bf39d87a24dcb66d
SSDEEP

768:tp0ti4HnnhtwYbJy6rioyelmd1TzulQEDDPOwc5n5uNCT/jhhLBxQIwqepJZU9mq:tWzhtJbUgHoADDIx1hLfuJrq

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2744	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	31
PID 2164 wrote to memory of 2744	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	31
PID 2164 wrote to memory of 2744	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	31
PID 2164 wrote to memory of 2744	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	31
PID 2164 wrote to memory of 2400	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	32
PID 2164 wrote to memory of 2400	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	32
PID 2164 wrote to memory of 2400	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	32
PID 2164 wrote to memory of 2400	2164	ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe	32

C:\Users\Admin\AppData\Local\Temp\ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe
"C:\Users\Admin\AppData\Local\Temp\ec012b55d45584ead0f10edb75881b9b357a3a56a43b891cbc296467d22e24b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
16c2bcf1dae729c5cb36a1875efe354c

SHA1
775fbf4b6a2e5bc033b86cfc0893250b5d387a45

SHA256
796a881d71234f7fcd9f5220c6e5674e231610bbf37626d9e5b79dc3268b7bb4

SHA512
d8bd6cb6cb6ccd3c2cc40edde9cd3e8c09d1ae55c21ac1896325c324c08507e68c16d3864923806d29db79c57b958dac68e43bdcf809c0a2c8b5b0a7b8557177

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
95KB

MD5
79eb8e8a8e0230355d005c16c8e00689

SHA1
57f3a50c74a759025f5709172becf6c7c22166d6

SHA256
753744f5edfbf44442c884a6d1d7d07e3aab9702053330b4ef245a2246f36761

SHA512
8444e22c76f3b32ede4ce9559a3ffe7ae08df4a8fd02595fd48866ed4454e8b0f77a49125c55bc4a21af9c76641b7d2db9fa91bda944d01c298cc29a75845428

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
b24da7e934866f5651d5df93847b6a33

SHA1
3dfe8c16dfdcbfbf68cc4972f2b2b7fc0aa850d7

SHA256
34b49da5fb678795a070a3fa816036152b4004bf2e0eee75b4d2419110b05bbb

SHA512
b303edaafd0c5e8f3b6a360bd0a409526a0c00fcdf0a37d467599171e4063dbc8f7285c670df845395f6d242ff343001625db52342b48d8f94d1492533e3b587

Download Submit
memory/2164-0-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/2164-9-0x00000000007E0000-0x0000000000810000-memory.dmp

Filesize
192KB

Download
memory/2164-18-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/2744-19-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/2744-22-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/2744-24-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/2744-31-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing