urelas | 5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4

General

Target

5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe
Size

77KB
MD5

76becc6084eb6de9a0b38cd7c27c2f43
SHA1

6a984b4adefb8c106c1d09f6d1d27d63c3a6abf6
SHA256

5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4
SHA512

b72cb997754bae1ce88493e5bc9afcc57f62dd9731c85cd0bf7976ff16ecc9fe7b3b3dc58042f380ef4fc1546a155e78764499158cf7883e093db4344d481c4a
SSDEEP

1536:PL2hIZA4fFfgK6xwHquw63wIl3eCEwWsg1+:PLnFYZx7CeCEwrV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2300	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	28
PID 2908 wrote to memory of 2300	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	28
PID 2908 wrote to memory of 2300	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	28
PID 2908 wrote to memory of 2300	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	28
PID 2908 wrote to memory of 2792	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	29
PID 2908 wrote to memory of 2792	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	29
PID 2908 wrote to memory of 2792	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	29
PID 2908 wrote to memory of 2792	2908	5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe	29

C:\Users\Admin\AppData\Local\Temp\5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe
"C:\Users\Admin\AppData\Local\Temp\5b7ffb6582b9627f310fb7be22fefb4dea58d1aef30301e981d357ab7126bad4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a0ae699180b5c88a6d361eb8cd1fd1a0

SHA1
d96c983976fe9d29092ed1524c48e29eb6d7d494

SHA256
9e7063a5ccabb60062f55f4e389d03b671ef086985109e6a5126e16059ea3d3c

SHA512
5c2a0aba8917ff43861c6fb5adfd67193e2522c3bd44ee8ed2793c2d29296363bd094b31c16e68c43c812762ba20741ef428e5c19c3318071b9c6ab7b935bb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
e5320828280043c9a35d650cf9e1cdf3

SHA1
d75e185ca06946b9203c0f9aba1653926bf61715

SHA256
3ae20e098e300cbdf60d973601eb4fa56ab9eeba71cfda11bc586577c562e45b

SHA512
8e4141f163fedff88cb5d364d173094a72620b4872333688c3691e50fba0a42784d86b5d39527227e2fb6131f4cc290628aa8c0532315735bb9567e96b43b8f1

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
77KB

MD5
6d59631fbfbf7b381dc0afac0469b682

SHA1
5073b7c17d533741b096638ed2743de9fc324ed0

SHA256
57ff4c432cd049288b3e4a968b0731b81f010ed9c029bd377316f13cbcbdb199

SHA512
0d5a15fdae5db330a5044a018baaa7ee833812f76f8d0ffc1f723b03acb9d053739d51addb67d4477b9026b5320b58c0b577e296eccb1873fe58ddf5467b3078

Download Submit
memory/2300-11-0x0000000000FE0000-0x000000000101D000-memory.dmp

Filesize
244KB

Download
memory/2300-22-0x0000000000FE0000-0x000000000101D000-memory.dmp

Filesize
244KB

Download
memory/2300-25-0x0000000000FE0000-0x000000000101D000-memory.dmp

Filesize
244KB

Download
memory/2300-32-0x0000000000FE0000-0x000000000101D000-memory.dmp

Filesize
244KB

Download
memory/2908-0-0x0000000001120000-0x000000000115D000-memory.dmp

Filesize
244KB

Download
memory/2908-10-0x0000000000A60000-0x0000000000A9D000-memory.dmp

Filesize
244KB

Download
memory/2908-19-0x0000000001120000-0x000000000115D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing