urelas | f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5

General

Target

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Size

324KB
MD5

7c4be427fb9c0b704fc7836a0262b34c
SHA1

6d0aa5c39503a36d9f9e601c2614ace4aa6b169c
SHA256

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5
SHA512

8b6b78e1c78ac404ce18564d8c7c4b76b16915bce699567e002153201e649772baf8a3cd5e4ba5bf39a920ca778b3cd528ec91dd1c24db049e762664f0bb43d1
SSDEEP

6144:bNEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSxP:bNEo/6YnZVB1rkAqcNAzQCed7J1oSx

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2868 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

gybav.exe

pid process

2288 gybav.exe
Loads dropped DLL 1 IoCs

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

pid process

840 f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

pid	process
2868	cmd.exe

pid	process
2288	gybav.exe

pid	process
840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/840-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\gybav.exe	upx
behavioral1/memory/2288-19-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/840-18-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2288-22-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exegybav.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gybav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe

description	pid	process	target process
PID 840 wrote to memory of 2288	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gybav.exe
PID 840 wrote to memory of 2288	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gybav.exe
PID 840 wrote to memory of 2288	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gybav.exe
PID 840 wrote to memory of 2288	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	gybav.exe
PID 840 wrote to memory of 2868	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 840 wrote to memory of 2868	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 840 wrote to memory of 2868	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 840 wrote to memory of 2868	840	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
"C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\gybav.exe
  "C:\Users\Admin\AppData\Local\Temp\gybav.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c7b95813b0009e4849f172569ed117e

SHA1
10980ae3b2453ee58a5191caf8fb6ff1dac86c68

SHA256
1fc3e49feaca9eb385ee025f60a87d712726ea29956fff47be3c30ce255e8fb6

SHA512
b5be4e6c57234b812c3903ebb551c8aea65c709c23e8e254c7bdb0144b1e54ef525e45d5a361b087cf0621b64654f5ead75d07d60ba4d0b0f2730318a588cb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
10d9ae49e0240205fa8b97113d847f42

SHA1
b7a1e5d7b8703644deb1ca4b2cfaaa2dd311e580

SHA256
163777b39c88cc10b3664e253041cc30292dcb54951739b0e78b21128bd546bf

SHA512
13f627d02ee56e2a503c77615d26e7658a5c047c494e3fb89e54a993c95f35b40819b14d362fbc9a38751f5b871e1357ceb85b3fd769c536e6810f12fe3ee2fc

Download Submit
\Users\Admin\AppData\Local\Temp\gybav.exe

Filesize
324KB

MD5
5b92ba201cef0314ce9b3a551c31a9f2

SHA1
af465b9b78a2ba1232cc4941865efd10646c003d

SHA256
c5bb0c38ba35f32999f2ccf5bd673a2b46e943996f2fbc409625cecce7928c33

SHA512
1407165e950f03043a7cfc8ae7ffaec8c8b5843eda98a8f4ff8c05dcd072d4a4cb9a97350f73d4f5535a2935974f386cd6648b177f81e9bfc3e18fc27dbaa8b5

Download Submit
memory/840-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/840-8-0x0000000002660000-0x00000000026E9000-memory.dmp

Filesize
548KB

Download
memory/840-18-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2288-19-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2288-22-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads