urelas | b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490

General

Target

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
Size

6.5MB
MD5

80ce7f98edfdd8fe48863438b86eddbc
SHA1

3ac14ddab6abb60e46cb537eba13c441032009ae
SHA256

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490
SHA512

da5a971230c05a263a245c6c9ff941bbf6f3a112f3a221d97ce4be04bdb9c37b2801abef0fee7bc0d5de0c6e33ed3b57a7cd8b60cc8b29da12210bbf7e20d1b1
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dibof.exe	UPX
behavioral1/memory/1912-171-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/1912-177-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2508 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

nyelm.exenyujki.exedibof.exe

pid process

2752 nyelm.exe
2804 nyujki.exe
1912 dibof.exe

pid	process
2508	cmd.exe

pid	process
2752	nyelm.exe
2804	nyujki.exe
1912	dibof.exe

Loads dropped DLL 5 IoCs

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exenyelm.exenyujki.exe

pid	process
1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
2752	nyelm.exe
2752	nyelm.exe
2804	nyujki.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dibof.exe	upx
behavioral1/memory/1912-171-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1912-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exenyelm.exenyujki.exedibof.exe

pid	process
1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
2752	nyelm.exe
2804	nyujki.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe
1912	dibof.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exenyelm.exenyujki.exe

description	pid	process	target process
PID 1732 wrote to memory of 2752	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	nyelm.exe
PID 1732 wrote to memory of 2752	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	nyelm.exe
PID 1732 wrote to memory of 2752	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	nyelm.exe
PID 1732 wrote to memory of 2752	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	nyelm.exe
PID 1732 wrote to memory of 2508	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 1732 wrote to memory of 2508	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 1732 wrote to memory of 2508	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 1732 wrote to memory of 2508	1732	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 2752 wrote to memory of 2804	2752	nyelm.exe	nyujki.exe
PID 2752 wrote to memory of 2804	2752	nyelm.exe	nyujki.exe
PID 2752 wrote to memory of 2804	2752	nyelm.exe	nyujki.exe
PID 2752 wrote to memory of 2804	2752	nyelm.exe	nyujki.exe
PID 2804 wrote to memory of 1912	2804	nyujki.exe	dibof.exe
PID 2804 wrote to memory of 1912	2804	nyujki.exe	dibof.exe
PID 2804 wrote to memory of 1912	2804	nyujki.exe	dibof.exe
PID 2804 wrote to memory of 1912	2804	nyujki.exe	dibof.exe
PID 2804 wrote to memory of 2124	2804	nyujki.exe	cmd.exe
PID 2804 wrote to memory of 2124	2804	nyujki.exe	cmd.exe
PID 2804 wrote to memory of 2124	2804	nyujki.exe	cmd.exe
PID 2804 wrote to memory of 2124	2804	nyujki.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
"C:\Users\Admin\AppData\Local\Temp\b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\nyelm.exe
  "C:\Users\Admin\AppData\Local\Temp\nyelm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\nyujki.exe
    "C:\Users\Admin\AppData\Local\Temp\nyujki.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\dibof.exe
      "C:\Users\Admin\AppData\Local\Temp\dibof.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
360734db3705bb58d3123da35de078a4

SHA1
2ccbaa08f438f8229d8aed0e37b5a299087e9161

SHA256
5cf2a660347a9d754cf17dfe3c2f5460751a63ec020111daa50a6e4172177bec

SHA512
1404e9688ff6ba9176422d0cd5c68caaaed5f1e6f746cccbc80a13abaecf0d3dc421f7eeed7a1516a86b9af16f691140462dfbfcb67b59fb5cf5e3f2b3e76d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
047258f69b43a63ed080fab58ccc3870

SHA1
5f977c66a3c9c4ba4eb7fd64a328e3fb276021c3

SHA256
e4247ed07ae9d58a17b8a358208d99b84de0f42a9a6627a7d2a025eabdb5ed25

SHA512
eba77558ca6a4421d2adc948186831e4ffba740cf85b95bcf41f560891e8da610c7adcbd166dcb8714d4444ec407b0204884db63b52d0f647093876b41240980

Download Submit
C:\Users\Admin\AppData\Local\Temp\dibof.exe

Filesize
459KB

MD5
817c05e6e46829800b2978eac239a99b

SHA1
a784aca8cdbf120823894ad27965510aa447a9a6

SHA256
75125adbdd91dcc4f5c66948c630b9259d3fb973e94003d621492171f75f334d

SHA512
ea246d555e4958c499345c991d30ae8f55129241580c23c6923f58e7e6b978e35cdbb30a493b6e6e11413200dd9bd7282ee2859594d1a866b69a06b4621dcdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8188719eb5d5786f64e96d733ab53ffb

SHA1
0bad125cc2d188e3cb29fe39315437cf9ba8ebe2

SHA256
c87ef44d0bb5042afdae5dc2a35f2ef045a6f1d288d04cb1362e5d510f79f8a9

SHA512
796c066752bc2acd81d2d836a08a762f860aca4ba026071d4fb0aed20d93bae9a343b1cb96ac1c274a78b55806ac72c2407aaa1aabb2a87a4dc8f94e3a744b23

Download Submit
\Users\Admin\AppData\Local\Temp\nyelm.exe

Filesize
6.5MB

MD5
e06ff5c75f64153ab5ad22cbf4b0784e

SHA1
d68b0d38c3f688f5df986301af0d8e8d93fb9253

SHA256
015c42518747d989be3ee9b3a8625560a2702440ff84753800f66360476920bb

SHA512
6d47f7241d06c3e6dd6f553109df1d8843dfec22b698fc4d4f3c828962eeda7da0940e06c990f2c21206df27b8ba4e257b9b501370a9b5ee8fb2289959c2b1c4

Download Submit
memory/1732-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1732-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1732-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-39-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1732-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1732-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1732-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1732-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1732-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1732-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1732-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1732-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1732-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1732-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1732-53-0x0000000004210000-0x0000000004CFC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-60-0x0000000004210000-0x0000000004CFC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1732-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1732-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1732-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1732-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1912-171-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1912-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2752-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2752-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2752-106-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2752-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2804-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2804-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2804-170-0x0000000004890000-0x0000000004A29000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads