urelas | 3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a

General

Target

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
Size

321KB
MD5

68507d55c249d61d7aac50987cd13b08
SHA1

075e886e5f43dcc2596964041b8ba669ddb73cee
SHA256

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a
SHA512

872d4dbb24ec163e7d4f6143b18cfb3527e0b8203294907cd672810c227d789dcb0dc2bd6271161c4bc8191b72c6dffbe937864f2f3d000020d3e6f072b4e073
SSDEEP

6144:YRclEhSDYNRIu1dQREqjoEv8i/FuXox3+i+Lj2et3uopGYX:YRcISsNnWEmQox3+i+Ljrt+lYX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2540 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ygefc.exeseyshe.exeyjvoz.exe

pid process

2392 ygefc.exe
2712 seyshe.exe
1968 yjvoz.exe
Loads dropped DLL 3 IoCs

Processes:

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exeygefc.exeseyshe.exe

pid process

1940 3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
2392 ygefc.exe
2712 seyshe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2540	cmd.exe

pid	process
2392	ygefc.exe
2712	seyshe.exe
1968	yjvoz.exe

pid	process
1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
2392	ygefc.exe
2712	seyshe.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

yjvoz.exe

pid	process
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe
1968	yjvoz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exeygefc.exeseyshe.exe

description	pid	process	target process
PID 1940 wrote to memory of 2392	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	ygefc.exe
PID 1940 wrote to memory of 2392	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	ygefc.exe
PID 1940 wrote to memory of 2392	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	ygefc.exe
PID 1940 wrote to memory of 2392	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	ygefc.exe
PID 1940 wrote to memory of 2540	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 1940 wrote to memory of 2540	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 1940 wrote to memory of 2540	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 1940 wrote to memory of 2540	1940	3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe	cmd.exe
PID 2392 wrote to memory of 2712	2392	ygefc.exe	seyshe.exe
PID 2392 wrote to memory of 2712	2392	ygefc.exe	seyshe.exe
PID 2392 wrote to memory of 2712	2392	ygefc.exe	seyshe.exe
PID 2392 wrote to memory of 2712	2392	ygefc.exe	seyshe.exe
PID 2712 wrote to memory of 1968	2712	seyshe.exe	yjvoz.exe
PID 2712 wrote to memory of 1968	2712	seyshe.exe	yjvoz.exe
PID 2712 wrote to memory of 1968	2712	seyshe.exe	yjvoz.exe
PID 2712 wrote to memory of 1968	2712	seyshe.exe	yjvoz.exe
PID 2712 wrote to memory of 1436	2712	seyshe.exe	cmd.exe
PID 2712 wrote to memory of 1436	2712	seyshe.exe	cmd.exe
PID 2712 wrote to memory of 1436	2712	seyshe.exe	cmd.exe
PID 2712 wrote to memory of 1436	2712	seyshe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe
"C:\Users\Admin\AppData\Local\Temp\3a56d3836e57abda02f9364285cb813b77a780198b32dad0220e39aac3873e0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\ygefc.exe
"C:\Users\Admin\AppData\Local\Temp\ygefc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\seyshe.exe
"C:\Users\Admin\AppData\Local\Temp\seyshe.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\yjvoz.exe
"C:\Users\Admin\AppData\Local\Temp\yjvoz.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
340B

MD5
c9675922a3430b7e556173cff7a897f7

SHA1
dc667d3b12b295d8f83d6b36744641ea4ea8469e

SHA256
4bc7ab11371a9b729a5dbaa3140727b017a1aa2861a291f70c26d310eb83c263

SHA512
feae6b14ac85e38b69fbb908c89d5c46c0d6289ff3f8c6d6b6c7da53a11c3d6a572130060db75ece8fc3325f15133a43551afb047c1034141b9f7e8959a91787

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
cb6f862baabf073eab7783dd54ac73ce

SHA1
e02d1d39cdf8f8b0e1978b137ede7d0ce77ff636

SHA256
8e20c83d3ea79852ed968dfb34ee009ab7e5d672eab092ab36c981a28ae080a1

SHA512
c799bb1229a6e046c9ee90a099f2022ac1fd244042a69936fe3eaa0e13ab308d59f54a5ebfe2b6731fafd5604a211ba3c2270129aac7cafebfe0a28903996302

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
fea07bc3cf30c666d68ccf4b9ee9e60f

SHA1
40ffd220034acb28a9ca4cab4a5724273a054ac5

SHA256
05d1b74e6b8415c39745a38bba033062197595e1665913e10ee3113dbab07ffe

SHA512
33662d3c50ca67d0f79a1f99d8cee80982a1aa7c8340029941191078855ef6d2ce2a94831832fac46b0b91dc3b8e8f87164bfe337f6f763d04efa38f9b0998f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjvoz.exe
Filesize
204KB

MD5
15248c12893594d851bb5672aeb17270

SHA1
ac5223bc87fde1b638611ee80bf84ae4f69f224a

SHA256
4317c3971700664a8506cbf21476b5c33c3a9ec31a71926353598092c0196aae

SHA512
cfc3d11778c41d4d4a6757174f07036c08953327920ef31acef16bc91b158048b270f0e356c211cca883507f8f127a6d5ae57c99afd303d872d148f23c392ace

Download Submit
\Users\Admin\AppData\Local\Temp\ygefc.exe
Filesize
322KB

MD5
2448f857c5a70f4676da2d44176263ed

SHA1
a6ab031bb046a66b275037d05712e5e12f974d01

SHA256
3db6f2a50d3fc71e5f8d01a6cd39abf89d35a9fd33a23f34cac3c1a9b3ea632c

SHA512
02d3f7dcfbd38c1b4f3bdb50dd992b57c9de2ac028ecc1af0d93cf30a1b406f30e2258907462663ecf659b41f10d1c803b02c6cdf6fc6bdaf5d5b7a5ae10df39

Download Submit
memory/1940-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1940-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1940-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1968-67-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/1968-64-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/1968-65-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/1968-63-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/1968-66-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/1968-60-0x0000000000D00000-0x0000000000D9A000-memory.dmp

Filesize
616KB

Download
memory/2392-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2392-27-0x0000000003690000-0x00000000036FF000-memory.dmp

Filesize
444KB

Download
memory/2392-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2392-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2712-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2712-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2712-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing