urelas | f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a

General

Target

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Size

330KB
MD5

f1e1cde1b78c3011c4d37b778f8f28e0
SHA1

1fe7cf690f5b87e656dc61d2e0855347bf511063
SHA256

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a
SHA512

31bca1575ae095daf1fcd97dc007c839224addbc90c72435dec7557edbfa98027c2785d7fda7874fe7635c670775a2b0f8eadaed30f4ba66d9044476aba71e9a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1032	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ymxow.exevylyd.exe

pid	Process
2392	ymxow.exe
1788	vylyd.exe

Loads dropped DLL 2 IoCs

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exeymxow.exe

pid	Process
2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
2392	ymxow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.execmd.exeymxow.exevylyd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymxow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vylyd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

vylyd.exe

pid	Process
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe
1788	vylyd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exeymxow.exe

description	pid	Process	procid_target
PID 2128 wrote to memory of 2392	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2128 wrote to memory of 2392	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2128 wrote to memory of 2392	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2128 wrote to memory of 2392	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2128 wrote to memory of 1032	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2128 wrote to memory of 1032	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2128 wrote to memory of 1032	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2128 wrote to memory of 1032	2128	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2392 wrote to memory of 1788	2392	ymxow.exe	34
PID 2392 wrote to memory of 1788	2392	ymxow.exe	34
PID 2392 wrote to memory of 1788	2392	ymxow.exe	34
PID 2392 wrote to memory of 1788	2392	ymxow.exe	34

C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
"C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\ymxow.exe
  "C:\Users\Admin\AppData\Local\Temp\ymxow.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\vylyd.exe
    "C:\Users\Admin\AppData\Local\Temp\vylyd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
3a85ad7e26b9ba614e2c31d19781c991

SHA1
3145733944a8aa72b818f8878b734efa4f3b1a3b

SHA256
785cbb203160b3f082d3b9f1d74a4463dd759228247c63b98f466aab26c7ce16

SHA512
39e6f1b31d76356cd04938b7c27bbb487aecad37a51dc05b047d4245ee479bf0bcacb5cd74152e2d30bfc97019f8de7a5084e8b210d6e620c55f5afdf2046ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
80962832169179d99e3b7796e48b8dcf

SHA1
f33abedeec146baa4e435008d9415ee38aec01eb

SHA256
7174c44489f2a8f0e3c2f63bca5d0efb097fba2275037af10000fe7b49b2e86b

SHA512
a225349cd7c5802de94928b9e8d8de97c7e4f2c4b3c1bbc362ef4b4493d05211cd2f0d9ec075f43aeeba2c0b02635375328fd309c6acf97de6eb1c2bf35eaf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymxow.exe

Filesize
330KB

MD5
89413df570dec211ed073c1c9d734473

SHA1
89486a4a4b5fb04c7985a55414dbf20dd5d3adca

SHA256
a00ce4d0ffc546182af0c8bac1cf9c87e9a6903d360ea71ad4b3fddf7971fefe

SHA512
cac942fac4af37541590d8a750de42a12b3828aeb43a19b6b28b843946af7b70f96836d270cbdd9f4ca7b3ecbbdbc3cce7c85c2a541a8521da2a9eed36b320b2

Download Submit
\Users\Admin\AppData\Local\Temp\vylyd.exe

Filesize
172KB

MD5
af086fefeec26238f2b09e84c67f0b15

SHA1
a702e07e81c7c4ac2d04a9264519b46e9ee7c0ae

SHA256
4f8e039c244ed444da4d644331beee89618d10093a21a17fa5b8cd830b8ab548

SHA512
24def258293cb532916098ddf0966f14adb8f16fb020155d3f6c508df935a74920b0f8ddd5cb9b4cff5652056f1667c9c35b22a326f3004c5f01e9697a334fb5

Download Submit
memory/1788-43-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/1788-49-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/1788-48-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/1788-46-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/2128-0-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/2128-17-0x00000000024B0000-0x0000000002531000-memory.dmp

Filesize
516KB

Download
memory/2128-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2128-21-0x0000000000CE0000-0x0000000000D61000-memory.dmp

Filesize
516KB

Download
memory/2392-24-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/2392-37-0x00000000011A0000-0x0000000001239000-memory.dmp

Filesize
612KB

Download
memory/2392-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2392-42-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/2392-19-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/2392-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads