urelas | 97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2

General

Target

97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe
Size

78KB
MD5

944a5f9694369ae5c5cbae402c559d29
SHA1

2594ce819effa70ba6d0a5393b7a3488b3880bbe
SHA256

97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2
SHA512

af5e85a23a20f45754f4d9deff54b681fb9b89fbabe1050b546ddf35dc4de34aa0c0911c408510eea8cc4e4e8e2236b0e31f2e6d417ff0ace67f85c796b64c48
SSDEEP

768:+sc7OdswlhnuXLhUQW5NPUFLuFdxm9MGVGkno5ksPCvEHH18TUBB/IwRfCZU9/7P:+9MJjCL2VlddeykkPCv8CqO+fC2c0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2380	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	30
PID 2100 wrote to memory of 2380	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	30
PID 2100 wrote to memory of 2380	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	30
PID 2100 wrote to memory of 2380	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	30
PID 2100 wrote to memory of 2348	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	31
PID 2100 wrote to memory of 2348	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	31
PID 2100 wrote to memory of 2348	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	31
PID 2100 wrote to memory of 2348	2100	97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe	31

C:\Users\Admin\AppData\Local\Temp\97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe
"C:\Users\Admin\AppData\Local\Temp\97e8f14b68a589239b11630fd1405b0d2ce6b84c8338842ce9c82f0b344106d2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
44618bd13e4f041a1726c9ae5825c84e

SHA1
441d827a427d28451958c6fc92cdfd5043bf96d4

SHA256
cfdd874d11a1179351acd3d28be1b54783c2caa22d74cc6db1a691c306be0a07

SHA512
e0a68b861f2f12a398ca8ea90ddf6814f184185074887b4b1f75a154418c4e83ab556b73323d597d716be0e7314110fdc7b66fbc54f901a87e7fbb9784059e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
78KB

MD5
8fd0a72aedb5b7eaf87ca72f1812ba71

SHA1
7fca7c3bb33c816fec6bcfec0de7309d5730302d

SHA256
6cd9e7aeed600db4ea6f8147b2c1a9d859903b7aa5b0f4696a167107b948eed7

SHA512
662246b2c531490578aa0c7434dcafdf37fd7b9c58432d3334da1ec6921f007b72d3fdba9726e4c943964a6f4b4ed63fcc289a830993d92316bd6f86e5d3375c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
b4072c554bec300641fc50d13bc38aad

SHA1
91508b035d7e1bb2f8e13be0de33272f286910fb

SHA256
74e892e762e63ca8599eea04cf471bfc45e1c9aafef57f736780a7e3d07f666e

SHA512
66c6f5700241902dd1bfd944707bcf79d89e237238fcfcfa5306348c5c0ea5d1560b74de4d97314390302151e0a644783dc247f69adc9652c8f0b35d45afa356

Download Submit
memory/2100-0-0x00000000011D0000-0x0000000001200000-memory.dmp

Filesize
192KB

Download
memory/2100-9-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/2100-19-0x00000000011D0000-0x0000000001200000-memory.dmp

Filesize
192KB

Download
memory/2380-10-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/2380-22-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/2380-24-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/2380-31-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing