urelas | 2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd

General

Target

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Size

453KB
MD5

92dbb63475ed85b64c332c1b5a4388b4
SHA1

27aff6f89f1b33c93104cc735e4fc33c5ef5f780
SHA256

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd
SHA512

69f01ad4f2754f05be3375e93e0c97eebdb24778ec225e2473456095e9fb41f6b778a454866e7573f28160b4237aeda27eda56f367a3d678634792e70aa71ada
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFB:CMpASIcWYx2U6hAJQni

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

wisea.exeypdome.exezohyp.exe

pid process

2832 wisea.exe
2676 ypdome.exe
2780 zohyp.exe
Loads dropped DLL 3 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exewisea.exeypdome.exe

pid process

2664 2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
2832 wisea.exe
2676 ypdome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2840	cmd.exe

pid	process
2832	wisea.exe
2676	ypdome.exe
2780	zohyp.exe

pid	process
2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
2832	wisea.exe
2676	ypdome.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exewisea.execmd.exeypdome.exezohyp.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wisea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypdome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

zohyp.exe

pid	process
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe
2780	zohyp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exewisea.exeypdome.exe

description	pid	process	target process
PID 2664 wrote to memory of 2832	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	wisea.exe
PID 2664 wrote to memory of 2832	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	wisea.exe
PID 2664 wrote to memory of 2832	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	wisea.exe
PID 2664 wrote to memory of 2832	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	wisea.exe
PID 2664 wrote to memory of 2840	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2664 wrote to memory of 2840	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2664 wrote to memory of 2840	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2664 wrote to memory of 2840	2664	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2832 wrote to memory of 2676	2832	wisea.exe	ypdome.exe
PID 2832 wrote to memory of 2676	2832	wisea.exe	ypdome.exe
PID 2832 wrote to memory of 2676	2832	wisea.exe	ypdome.exe
PID 2832 wrote to memory of 2676	2832	wisea.exe	ypdome.exe
PID 2676 wrote to memory of 2780	2676	ypdome.exe	zohyp.exe
PID 2676 wrote to memory of 2780	2676	ypdome.exe	zohyp.exe
PID 2676 wrote to memory of 2780	2676	ypdome.exe	zohyp.exe
PID 2676 wrote to memory of 2780	2676	ypdome.exe	zohyp.exe
PID 2676 wrote to memory of 328	2676	ypdome.exe	cmd.exe
PID 2676 wrote to memory of 328	2676	ypdome.exe	cmd.exe
PID 2676 wrote to memory of 328	2676	ypdome.exe	cmd.exe
PID 2676 wrote to memory of 328	2676	ypdome.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
"C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\wisea.exe
  "C:\Users\Admin\AppData\Local\Temp\wisea.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\ypdome.exe
    "C:\Users\Admin\AppData\Local\Temp\ypdome.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\zohyp.exe
      "C:\Users\Admin\AppData\Local\Temp\zohyp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a52b5a348d9d3bbd9b35603d466ff6ba

SHA1
ebf33971d24a6bc26ae8b06fa9cd7dde8e6b6697

SHA256
7109f01251179a27c5285e202f6712b548446c166abe2f122d7e60a15a4d9944

SHA512
d9b99c103437527efefa8c6636bb6e100d01314b5dfd99e85503632343f3f234f643571410bb312ddfb1f3e2dfe063237e13bb220b640ba94c616e3ee4818513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
670d649e11b8dcbbb31964b74496fef2

SHA1
62eda9706fdb015fc4405319aad9de4223fae76c

SHA256
271f8193b1e6591fae213aeaa54f1417eb4ee5bd7577c440aaf6c91d764efd97

SHA512
02fcaa892541c178ec2576cca9519086931e9384a40ad9670989600e1ce350be282f792520ccda530f795c90f54689425de37852bb9b38e22268b3de788aead9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
30f527a75433eaf477b347724edd8a36

SHA1
f42f9f477d316d80bb36565093a870e67a945d63

SHA256
e202e3233d63fb89947adbe13907d607250533eeeef353b77fcce44195da541a

SHA512
bd90491f378b31b4ce27056298ab57763734bba8d52907483e84e96b5d28559f3bef25fe2b62f5a4a046418d1345196892025f34425f78023e0474d426f22656

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypdome.exe

Filesize
453KB

MD5
7d0660bffbe325bd99b2c03e296db174

SHA1
431bd17e87de45f101f02d7dcb60a65b73845e1f

SHA256
d0bcdca694c46fd3bcc861defbd68ac70274d35594ed687a25032eac89fe62ab

SHA512
6ab4c5fc0d90ae402b8f3b852330506339893153bc361f8514aeba0a54857f0b27afc0d50ec3b53e96d09eb82cccbb3fd3311486e2e898ed60e5231e48cf272b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zohyp.exe

Filesize
223KB

MD5
b1de4e26f1be06268ad9c285571eeeed

SHA1
41bd445c98897ac71fdcbc938ecc6cc9ea115485

SHA256
33737191f1b28cc23e47d3488c505e233fcf3eaf637222deb27509acb2a92d49

SHA512
52c127f5153df23ec0675c39b604834a9f4475ef1fd4313b827df2be6eadf8d0c7072404bd190d053b34d5d9dd93b01004ddae81566e964134e9543cac60e554

Download Submit
\Users\Admin\AppData\Local\Temp\wisea.exe

Filesize
453KB

MD5
f0d99a5203e2a7b553321bb76dfd7613

SHA1
f7dabb3bbe16a61567ab4ee4897bd1aa69a110d0

SHA256
cdc02bdb4fbe128231b9a6ae4f3e96bce2708a3d0ad489183c444c009bdc6f27

SHA512
8009a25b6ab972cd0cdf9099a6f665198dd93d89591eca6709929f9b9d3c2247b7ac3e50d795862a7eeaa88cde0e19e618c23df4c14d04077a6fb5e207dfec9f

Download Submit
memory/2664-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2664-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2664-14-0x0000000001D90000-0x0000000001DFE000-memory.dmp

Filesize
440KB

Download
memory/2676-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2676-44-0x00000000031E0000-0x0000000003280000-memory.dmp

Filesize
640KB

Download
memory/2676-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2780-47-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2780-51-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2780-52-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2780-53-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2780-54-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2780-55-0x00000000009F0000-0x0000000000A90000-memory.dmp

Filesize
640KB

Download
memory/2832-27-0x0000000003800000-0x000000000386E000-memory.dmp

Filesize
440KB

Download
memory/2832-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2832-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads