urelas | 89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890

General

Target

3bfb0560881a2192e0e5822998cf9a90N.exe
Size

370KB
MD5

3bfb0560881a2192e0e5822998cf9a90
SHA1

3a06ebd6131a6b7e4005be6621cb3a0abe91e631
SHA256

89ed2ff188c84fc98fa5aec6914dc96d5e480bc6a1160050aa89cbbdd822e890
SHA512

73e9c6f30878277929d2271255b3a808316bd3cac353a402c24eea5be6b9ea023e8faff469dad75b2c44d2ab5116514d5239f97b0d03de916f471caf95e6663d
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pi/:CzGL2C2aZ2/F1WHHUaveOHjTe/

Score

10^/10

urelas discovery trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1872 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ryhog.exeqybec.exe

pid process

2024 ryhog.exe
1700 qybec.exe
Loads dropped DLL 3 IoCs

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeryhog.exe

pid process

2540 3bfb0560881a2192e0e5822998cf9a90N.exe
2024 ryhog.exe
2024 ryhog.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1872	cmd.exe

pid	process
2024	ryhog.exe
1700	qybec.exe

pid	process
2540	3bfb0560881a2192e0e5822998cf9a90N.exe
2024	ryhog.exe
2024	ryhog.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeryhog.execmd.exeqybec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bfb0560881a2192e0e5822998cf9a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryhog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qybec.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

qybec.exe

pid	process
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe
1700	qybec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3bfb0560881a2192e0e5822998cf9a90N.exeryhog.exe

description	pid	process	target process
PID 2540 wrote to memory of 2024	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	ryhog.exe
PID 2540 wrote to memory of 2024	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	ryhog.exe
PID 2540 wrote to memory of 2024	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	ryhog.exe
PID 2540 wrote to memory of 2024	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	ryhog.exe
PID 2540 wrote to memory of 1872	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 2540 wrote to memory of 1872	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 2540 wrote to memory of 1872	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 2540 wrote to memory of 1872	2540	3bfb0560881a2192e0e5822998cf9a90N.exe	cmd.exe
PID 2024 wrote to memory of 1700	2024	ryhog.exe	qybec.exe
PID 2024 wrote to memory of 1700	2024	ryhog.exe	qybec.exe
PID 2024 wrote to memory of 1700	2024	ryhog.exe	qybec.exe
PID 2024 wrote to memory of 1700	2024	ryhog.exe	qybec.exe

C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe
"C:\Users\Admin\AppData\Local\Temp\3bfb0560881a2192e0e5822998cf9a90N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\ryhog.exe
  "C:\Users\Admin\AppData\Local\Temp\ryhog.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\qybec.exe
    "C:\Users\Admin\AppData\Local\Temp\qybec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
63dac65e49c3d5c950d92037a21460a1

SHA1
8a344ccefb34634747379346a17af075add97c3f

SHA256
43951d7fb4735c2decbf40ca8656ff7f9917796c771943a0b4d7557157e4f355

SHA512
bc854428d78d962da9c0e11a0be84c4e607f5f5140c9acae30ec8d209e291ae3eedb3a79626d9ab7710223dc0bd1c256e962b09d14b015267467ecfdaa0f8a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
954e14b5370b87b5b94f72b10458537a

SHA1
45c9d3199e80465309475c204bdeab5b906d6ebf

SHA256
e3de093705c0a169cc543524a6a031ab8164033f44382946406b9135e26598ea

SHA512
3d01610c82b2f423004fd884e8c94b8403cbdffd05876bfe74bd292e989a1312de70b299f8861aa9dcf6e9f337e1df6b0a85dec54e5e710e429a018d4960ded8

Download Submit
\Users\Admin\AppData\Local\Temp\qybec.exe

Filesize
303KB

MD5
47d714f76f29cef8f758f76516e5bdf9

SHA1
f62d7d53f57038755990d95be0cb81825573e654

SHA256
a4f5f533fc533173cde4e9dd434d1f444d24abd490d89815a185522a4ff80895

SHA512
4a72317ce1ae4a8ab21ffeb1d71de11b9a6bcb0efa7b648d10ae1c71f346cf36c6c072bf7f1e689ef61660390ae482219e4ddcd3720ff4418f5cedc44260662a

Download Submit
\Users\Admin\AppData\Local\Temp\ryhog.exe

Filesize
370KB

MD5
8d6d60f5c43b6c3de20b729aa018826e

SHA1
53db40b03577e89586541d8e99f4c43997af47af

SHA256
b021ab45e478b4bb21fae0d6b9957c942b760b162717bdbdff0b58a783ccab6f

SHA512
261a345811b2e3759a32ee37f3d43db6e190bd24a34004a1fa542cbe56fb48badf71a3fa178ca8aa888d0cda25de6a8662a120d71cbd67d817c7aef433687796

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads