urelas | fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16

General

Target

fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe
Size

338KB
MD5

d4f84cfe896e1c29f6a5f32291e3f5f0
SHA1

c8a9f5efad1e6e4fb33fde015d5baca8de03e98e
SHA256

fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16
SHA512

664f50bb70540093bdc592b929b9b8d0d7ddc116badf24ddca8a049f8c648d5a69cfa4cb38fc1b2282edb8185a3bf0c8f858db2ef039b157d87e4002e26f4dfa
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKo5pN:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ecbil.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	ecbil.exe
1536	pixyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pixyj.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe
1536	pixyj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1960	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	83
PID 1480 wrote to memory of 1960	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	83
PID 1480 wrote to memory of 1960	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	83
PID 1480 wrote to memory of 4140	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	84
PID 1480 wrote to memory of 4140	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	84
PID 1480 wrote to memory of 4140	1480	fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe	84
PID 1960 wrote to memory of 1536	1960	ecbil.exe	102
PID 1960 wrote to memory of 1536	1960	ecbil.exe	102
PID 1960 wrote to memory of 1536	1960	ecbil.exe	102

C:\Users\Admin\AppData\Local\Temp\fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe
"C:\Users\Admin\AppData\Local\Temp\fea5384e93b8ba44ec51041545eefbaca16cd67fc5acb0a106ff6ccb8a11ac16N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\ecbil.exe
  "C:\Users\Admin\AppData\Local\Temp\ecbil.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\pixyj.exe
    "C:\Users\Admin\AppData\Local\Temp\pixyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8df63a479fe943d1cd0889f78578bcc4

SHA1
2e3c4709c101483ff6a957cf663547302fbf6044

SHA256
44d061a9f0f95cec27c521183ffcd27a19d9254ecfe37ffd25c6e68b621407a7

SHA512
aa22e55f16de8e7d01cf78b505eb371f4149c662b9b7b6550f238a1d3bd1b7f934904c38d824b2b5d7ddedaaa98c64501b1ff06488ed2703eef97dd28e850b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecbil.exe

Filesize
338KB

MD5
3081f3108258327e96cdf2110dd12282

SHA1
70126c9f6b9f1910ae803a64d09d8e46310408cd

SHA256
4a613f43b10cbf7720687c30aa086d0f5f20492885774379e5fc36b7968dcf4d

SHA512
295e99eb17fa4e6c3e094246b49ebb9fd00e54666440c8ccfabd62725bb09adf598e9b4f6508d08d31682f30bb073961e483bf6da7384d77a7dcf3eedd5c91dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ceb49ee6ba246c5cd49f7f191c89945a

SHA1
0a55dcbebbd4497ba179c5f4358c8f9a41ee5337

SHA256
a9faf7b74430eb16d5cdd416ad26ffe333e5d15d740208ef20c68d8d023a31e8

SHA512
06d020b27168bbc975ef2e9dff96f8dc8c30dba2091643a98e99e62e51fd939f3c161a983cd7d44fa8e04d93a9d9371fd8bc6e71daa6839c557fdbadc8ff7f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixyj.exe

Filesize
172KB

MD5
9f14621bb4569704bdd1d07762de52e0

SHA1
6c507ba9b81bc74be5805ff06c4e3e81d755c62d

SHA256
cd1fca127d40266ad1f19c7322d104f0d4b992ecedb4c8cac835c10ddfe17d24

SHA512
16c24377cc7593d3d64d736051fd03fa3b97bde5e7d4d5e83f3851561006e8019709e211822dcdeb87c4dab73516456a1dc47198a3de15258c8b37570c7855f0

Download Submit
memory/1480-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1480-0-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/1480-16-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download
memory/1536-47-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1536-46-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1536-45-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1536-36-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1536-41-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1536-40-0x0000000000100000-0x0000000000199000-memory.dmp

Filesize
612KB

Download
memory/1960-12-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1960-39-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1960-20-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/1960-13-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing