urelas | 53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe

General

Target

53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe
Size

505KB
MD5

e82dc2f700675d613eb9d3539e110979
SHA1

58a1c5e1c2ab44aef6e7a20e87b929c997e4ef8b
SHA256

53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe
SHA512

f489519b78f3242951a83c08133db7dd752316ae520b8833cd47f9170ef6d92c9e8902a49bbad556311fa74d9114994ae3fcca5d6b2720f775ef8b346ac3b601
SSDEEP

12288:6uGtVfjUBSaoINAHT19UWvMucSlFgIOguNvP/6x5:6bt2/NA3UWUuBlFLUvax5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rybie.exeumnio.exe

pid process

2016 rybie.exe
1628 umnio.exe
Loads dropped DLL 2 IoCs

Processes:

53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exerybie.exe

pid process

2524 53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe
2016 rybie.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2536	cmd.exe

pid	process
2016	rybie.exe
1628	umnio.exe

pid	process
2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe
2016	rybie.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

umnio.exe

pid	process
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe
1628	umnio.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exerybie.exe

description	pid	process	target process
PID 2524 wrote to memory of 2016	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	rybie.exe
PID 2524 wrote to memory of 2016	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	rybie.exe
PID 2524 wrote to memory of 2016	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	rybie.exe
PID 2524 wrote to memory of 2016	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	rybie.exe
PID 2524 wrote to memory of 2536	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	cmd.exe
PID 2524 wrote to memory of 2536	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	cmd.exe
PID 2524 wrote to memory of 2536	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	cmd.exe
PID 2524 wrote to memory of 2536	2524	53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe	cmd.exe
PID 2016 wrote to memory of 1628	2016	rybie.exe	umnio.exe
PID 2016 wrote to memory of 1628	2016	rybie.exe	umnio.exe
PID 2016 wrote to memory of 1628	2016	rybie.exe	umnio.exe
PID 2016 wrote to memory of 1628	2016	rybie.exe	umnio.exe

C:\Users\Admin\AppData\Local\Temp\53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53f590f0c72e4724ebe8957bf761a64f83534c22faae816df6cd9da8ce40b8fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\rybie.exe
"C:\Users\Admin\AppData\Local\Temp\rybie.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\umnio.exe
"C:\Users\Admin\AppData\Local\Temp\umnio.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
d0025df6a661a237ab2a386a04300dd9

SHA1
c6cd0b9269551595fee1082d6fb70613c071f4df

SHA256
8acc6487d10a6c4d45ec607e4a0db85c00ed7314aaed7a0fd01db409420d1ecf

SHA512
f90e63f47dceaa85ffffb0e42fd44fe347dd4fe2e33ed3e3b7b3d4a485f0aaf7df06ac21f8921cdd4d5e249d68cc0f0fc4303a282b1505d2eb036e41b9d23ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
ec4ba8481bfedc6438c33ea682521f29

SHA1
9d60c1ea643b81104d8128e2110197691980c17c

SHA256
d94a80e3b1ab213e581f07bb690ec4caa03c6d15608a18bb12bb9969bcdca479

SHA512
2a8fdf1eb19ab4436b03f8e0b3fc707cee3d7e98301cfb0b32d29ed490e67fef3ba3578845a7986466544a568d0bd366734d1e9c0b7a8b1627abc5e147b39b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rybie.exe
Filesize
505KB

MD5
02b5c32964d7fd8c970bb02bc1939ad6

SHA1
cdd2e918eb7e0d75e0b932fac4db120ca24543d9

SHA256
821437a2f17214a1c34fd68b2266d6a346f04c894e91df457d91d1d5e3761c64

SHA512
e75b436d10046cf68de9cab57e8c4b3592815acecab98c62687c95610458ccef31c3594ab637ce48601ad1b2219419e97328a70cb20ff1c07c4523292b3aa2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\umnio.exe
Filesize
186KB

MD5
c8a11f14d879345a4a9a1e841cccd875

SHA1
6fa562c892b0e5015ea99fb69cde423cc82bb413

SHA256
ba0984a3c7fcd5327681a300e3ed1165556e9f445c8493fed89ad7bb2aa3b367

SHA512
1d1015c68b25c7fd943b60cbd6166f5d193de6e86676336cc73361c57b47e143b8f6c278ced01c5c18e7cf921a18c567fd352c2b5e1de2cddeb29e5b612ac671

Download Submit
\Users\Admin\AppData\Local\Temp\rybie.exe
Filesize
505KB

MD5
6c2627dc28779818b7397681c7b322c7

SHA1
46cfb2c34f5b54d2fee0d75dbbaff7cc81b9e899

SHA256
cf7192c22da69580556f66c1c0dc17ed14297181f3c99f03e32cc22a90dcc3ab

SHA512
c65ff7fbd557451c4ad188001a13f2b8db8f2cac774ff7eab2c715caa7b1e8a7fdf37f5ef96a93911ade5a442ffb2075432b66b8bfef4eced90763cdf832e175

Download Submit
memory/1628-31-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-32-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1628-27-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-35-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-36-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-37-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-38-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/1628-39-0x00000000003E0000-0x0000000000476000-memory.dmp

Filesize
600KB

Download
memory/2016-30-0x00000000032B0000-0x0000000003346000-memory.dmp

Filesize
600KB

Download
memory/2016-26-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2016-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2524-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2524-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing