urelas | b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815

General

Target

b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
Size

338KB
MD5

2b943ee14b3fcd4d5986b1e10de923c0
SHA1

126da8396b67a6576c88678d9c71bbdc860eeee6
SHA256

b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815
SHA512

f0040014214a389814da9e895e1d333be6e294edbd143e2bef4db7c6c89ffb35c305dd4db849a0ce726d2e7d5974035dfa4d20434b1257f08fc6761866e326c1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKogA:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	muruh.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	muruh.exe
3712	qouzf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qouzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muruh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe
3712	qouzf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1624	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	83
PID 4460 wrote to memory of 1624	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	83
PID 4460 wrote to memory of 1624	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	83
PID 4460 wrote to memory of 5028	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	84
PID 4460 wrote to memory of 5028	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	84
PID 4460 wrote to memory of 5028	4460	b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe	84
PID 1624 wrote to memory of 3712	1624	muruh.exe	103
PID 1624 wrote to memory of 3712	1624	muruh.exe	103
PID 1624 wrote to memory of 3712	1624	muruh.exe	103

C:\Users\Admin\AppData\Local\Temp\b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe
"C:\Users\Admin\AppData\Local\Temp\b30902b7c0847bab4dfe23fda0e0f06bee4acadb38414aa0b5ff077fae349815N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\muruh.exe
  "C:\Users\Admin\AppData\Local\Temp\muruh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\qouzf.exe
    "C:\Users\Admin\AppData\Local\Temp\qouzf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
65abadae7463d90004aa7d5b0c2ae35a

SHA1
a4a95bd5e8c540bb83546286f31451a59ab2d77c

SHA256
0744cd2dd7d7a3a618b247817032cd9505f545cdedb59b35488e687be947fcd9

SHA512
6c35c023b335618fe7d112bfa2b46197317767bfb87ab34d66e05a5c123c440011ce6dc6e1973bfca0302418255366f12560214b42c8904782bf4fb334fd276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7ceffe14707a18a365106328e4b9e58d

SHA1
abf7a0095b70cfe7801b1307066ce943ff028109

SHA256
e829dcffc6bb105cef0202195ba9826b7b918057c806d9196e2454fc666ea89d

SHA512
f6226fcee9a966dc9fff81e036410c30a0002f9f655686f90bb786317ec3491bf7386899ba68d3b4a2ac891f8b04aa1c29308351c29e93206a1b96da7554b2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\muruh.exe

Filesize
338KB

MD5
c35fe2356b9648402e43bb95b5399bb9

SHA1
4054e88322a500e4dda11102122e96c88c717ec8

SHA256
d18e2a698ac255c89f172d8660120f5dabc25968f6c1364fc40731104b36014a

SHA512
fffe10506f09e0b4d47583a002019ced868c315cb0b3f012a389a6bec2e267d3e73ad15df8b9db575551ed23d5606532dd3150c0a80a89f7f7bfe633c2e0e08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qouzf.exe

Filesize
172KB

MD5
b6b3affe4488bb2add1db151def76f03

SHA1
b2614688c93f6e80e5be6e9b0c0837b2c8a39f0d

SHA256
c8f0357b4e88b7ecba05089afdaa2b1b2d613ac1610d9e21807c2a84f8744cb1

SHA512
e92870f002408fb6dd5319ed11294be59680df21d5d1176045fdd9d50c41dc56e97207fc6dc23cd8334299cb4f9c122be0e555ab6ffbd0069bd649a5637407fc

Download Submit
memory/1624-20-0x0000000000890000-0x0000000000911000-memory.dmp

Filesize
516KB

Download
memory/1624-13-0x0000000000890000-0x0000000000911000-memory.dmp

Filesize
516KB

Download
memory/1624-14-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1624-40-0x0000000000890000-0x0000000000911000-memory.dmp

Filesize
516KB

Download
memory/3712-38-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/3712-37-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/3712-41-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/3712-45-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/3712-46-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/3712-47-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/4460-17-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/4460-0-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/4460-1-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing