urelas | 3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272

General

Target

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
Size

516KB
MD5

d200af10617c97ddd4fa9eb866c715ad
SHA1

c3080251af403cc47cb9afa243b838ac11c6214c
SHA256

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272
SHA512

21fe0d992b7c83ed8d2e813cff68918c861ffa65b21ff8a5dc9984f789800db0aa4392ce8a153df3b471c67e5f830754cf81b11b27bb88d96be3cfb167059202
SSDEEP

12288:RyPHijVSuJqu4kw6eDPvjJ81VGqK6GvPN:RuCTq4w6or+GnV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2980 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

pevey.exeytsae.exe

pid process

1244 pevey.exe
344 ytsae.exe
Loads dropped DLL 2 IoCs

Processes:

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exepevey.exe

pid process

1492 3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
1244 pevey.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2980	cmd.exe

pid	process
1244	pevey.exe
344	ytsae.exe

pid	process
1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
1244	pevey.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ytsae.exe

pid	process
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe
344	ytsae.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exepevey.exe

description	pid	process	target process
PID 1492 wrote to memory of 1244	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	pevey.exe
PID 1492 wrote to memory of 1244	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	pevey.exe
PID 1492 wrote to memory of 1244	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	pevey.exe
PID 1492 wrote to memory of 1244	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	pevey.exe
PID 1492 wrote to memory of 2980	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 1492 wrote to memory of 2980	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 1492 wrote to memory of 2980	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 1492 wrote to memory of 2980	1492	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 1244 wrote to memory of 344	1244	pevey.exe	ytsae.exe
PID 1244 wrote to memory of 344	1244	pevey.exe	ytsae.exe
PID 1244 wrote to memory of 344	1244	pevey.exe	ytsae.exe
PID 1244 wrote to memory of 344	1244	pevey.exe	ytsae.exe

C:\Users\Admin\AppData\Local\Temp\3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
"C:\Users\Admin\AppData\Local\Temp\3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\pevey.exe
  "C:\Users\Admin\AppData\Local\Temp\pevey.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\ytsae.exe
    "C:\Users\Admin\AppData\Local\Temp\ytsae.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2b12902d988ed6ceafbefd0ffbb066b

SHA1
8de7cfb53670e2259c2855d2f3d8bb5cc6bd1d32

SHA256
d01a51ffb5cb09868bb37d5e78852015757de96ea56a2ef4bbb1d6a6d09a937d

SHA512
d0e9f35cde6e50bd64a981feabbdb67b2ff229faf25f2ac04f9cf6351afa9cf559788d0a750f3d5fee847c74333f49a6e0cda89e6214b373580bca64d486a12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5af6356b90b83ee6aa488afa53dd4673

SHA1
bcad63c672fba0e965e6201694f2058859b0adfe

SHA256
bf3681a82fc4945800d9963ff7a866ca2728eaadec750906bc4ff9ba6c5eb8a4

SHA512
411137065c1093386a6b2b786029bf7c0c9c7fcb7d8f5a40e370f7094021fc0ac2984ddd2f71c7f7d6102ade4dbd698c616f779f12c9ad3d38791ffa71f5a2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pevey.exe

Filesize
516KB

MD5
e2290e22203130932304688c3e94f15f

SHA1
a64017c57d9544e85561a87d1fe45a6c469d0bbd

SHA256
429b9b0991c929af116bf8cc883ee64ed1adc6230023c3ffd3e8f58ccb837387

SHA512
609e5d5109fbf3027e4fa6e70c23496f0cc302fdfda8e82399cc880cf174625e0b4475dd217d0bc6e6cd5b53c7402f3604743bab39269388a3976e78a32c8383

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytsae.exe

Filesize
179KB

MD5
58cd3dd8a15dc8cc796eb098b6d1d4d7

SHA1
0b02aeccd1cbc20c0247a7c6a868636d5d80f201

SHA256
85969942ae6e3e973f08a42ec8b9e3234d97b5ec7a29f93a8ca23788dfc3d7f8

SHA512
03ec872e94d753b4dedf79a245a62c25af14bb37f6c979a04a73f1a4de552863589d5c85a600132bedc13013c2964f0e89adc9ab461a9f48a73271238fd1e0a6

Download Submit
\Users\Admin\AppData\Local\Temp\pevey.exe

Filesize
516KB

MD5
0f5f49b63b53624378815030fd5fda67

SHA1
0d12a84da8e6d0d4b12a209f59d5c154552960f0

SHA256
a6c7d15b08b9f13cabba85d13ece08fb2b30c84007cd976b15d54ead5ab1d9bc

SHA512
dc6e5592455f217a449e6d7f2fc681df51568eeeed71b0575961e70cca79d62e615b4d3d4e0837000bcdf5284f4347da8f14e79dae01ee7377646ba0f3275990

Download Submit
memory/344-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/344-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/344-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/344-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/344-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/344-35-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1244-28-0x00000000011F0000-0x0000000001229000-memory.dmp

Filesize
228KB

Download
memory/1244-10-0x00000000011F0000-0x0000000001229000-memory.dmp

Filesize
228KB

Download
memory/1492-18-0x0000000000BB0000-0x0000000000BE9000-memory.dmp

Filesize
228KB

Download
memory/1492-6-0x0000000000500000-0x0000000000539000-memory.dmp

Filesize
228KB

Download
memory/1492-0-0x0000000000BB0000-0x0000000000BE9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing