urelas | a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456

General

Target

a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
Size

305KB
MD5

e5e61363612d412f21409f38dc16f265
SHA1

c92a039870d46e84f1c14073d2ed7ea166e057e5
SHA256

a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456
SHA512

6f74987f022bcb22e88dedf58ad84548c02b801f140854d9a4c8b6ac9047519124c0c8bace2580789ef37913bfa9607c240d2e5cbb6a620a1e67ce6238c27d98
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw:ytCLD7+51gxeq3gOU9EEQrhw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1656	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

ylmaz.exeynoxpi.exeymhum.exe

pid	Process
2024	ylmaz.exe
2192	ynoxpi.exe
2000	ymhum.exe

Loads dropped DLL 5 IoCs

Processes:

a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exeylmaz.exeynoxpi.exe

pid	Process
2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
2024	ylmaz.exe
2024	ylmaz.exe
2192	ynoxpi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ymhum.exea1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exeylmaz.exeynoxpi.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymhum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylmaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynoxpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ymhum.exe

pid	Process
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe
2000	ymhum.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exeylmaz.exeynoxpi.exe

description	pid	Process	procid_target
PID 2532 wrote to memory of 2024	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	30
PID 2532 wrote to memory of 2024	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	30
PID 2532 wrote to memory of 2024	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	30
PID 2532 wrote to memory of 2024	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	30
PID 2532 wrote to memory of 1656	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	31
PID 2532 wrote to memory of 1656	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	31
PID 2532 wrote to memory of 1656	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	31
PID 2532 wrote to memory of 1656	2532	a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe	31
PID 2024 wrote to memory of 2192	2024	ylmaz.exe	33
PID 2024 wrote to memory of 2192	2024	ylmaz.exe	33
PID 2024 wrote to memory of 2192	2024	ylmaz.exe	33
PID 2024 wrote to memory of 2192	2024	ylmaz.exe	33
PID 2192 wrote to memory of 2000	2192	ynoxpi.exe	35
PID 2192 wrote to memory of 2000	2192	ynoxpi.exe	35
PID 2192 wrote to memory of 2000	2192	ynoxpi.exe	35
PID 2192 wrote to memory of 2000	2192	ynoxpi.exe	35
PID 2192 wrote to memory of 2956	2192	ynoxpi.exe	36
PID 2192 wrote to memory of 2956	2192	ynoxpi.exe	36
PID 2192 wrote to memory of 2956	2192	ynoxpi.exe	36
PID 2192 wrote to memory of 2956	2192	ynoxpi.exe	36

C:\Users\Admin\AppData\Local\Temp\a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe
"C:\Users\Admin\AppData\Local\Temp\a1ebe971e27beb336552eaa75f6d8a89d311a13efecc9d0d63e5299941054456.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\ylmaz.exe
  "C:\Users\Admin\AppData\Local\Temp\ylmaz.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\ynoxpi.exe
    "C:\Users\Admin\AppData\Local\Temp\ynoxpi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\ymhum.exe
      "C:\Users\Admin\AppData\Local\Temp\ymhum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
b37f4fc044ae0c7895eef35ca18a209a

SHA1
ddff4f89ca3ee9b3d2bfc87b43df12e786e552ff

SHA256
e753f9f3cc95fcb7a21700c96092742239b292f3bf4b8834a5cc4b22c8d7e602

SHA512
f1449bb47e3f3ce82ca721a1c5d87e34178d535a98398264e48b49056e753944dcfa79c9d976dfcfc310a1bef326a5d841460757704e3ee76b218ada6816f1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9e83b8b52ac1cd5a1f2482d044da33d1

SHA1
51f91de88140f3c0e7a97290297df8783178f09b

SHA256
0d54ab29593668c6e80d376a94effb0881fb6aa7fa15981f0c8762873dbfd228

SHA512
c6acb40778f92ed97a23f18f532ea647b40fe1bf1e002c4ad163776f90681904ac6ae51d3a5d03fcf2b349f30d3d75bd025682cccb1e9e17eecd8da646236914

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
caff619c4c8e41dda68883eda534b743

SHA1
f496e868f5659fe4c6a90cd320715ac489ce1e16

SHA256
356eb82a784ebd5db6aaac08145b651fd56dbe7d750f7f6432faf4a2d8075dfa

SHA512
c832b1315fb1eaf5cbdba7a703ebd0c464f58a5bad3bcb76a6e7304bb8d55a6176aa6b10b4f8c3b95cee8d9e54daba8e9708e8ba05436d35390732b3d5cd6eb7

Download Submit
\Users\Admin\AppData\Local\Temp\ylmaz.exe

Filesize
306KB

MD5
bfda8fe26e3dbe92e7729adb2732075c

SHA1
765928177db29f2a674f075faeef093a0736d91c

SHA256
07ddeb8593aa72892668bc43deefe4ac437b313fbadb9186b747bde6d90c69fd

SHA512
d58c7025eda41b6ca2659141ca72dfe6b655bd383487a0a14b0eeec0225c28650f866233219d14f15eba54795f4c6db5f34dd824acc119e0d63fa69c4f963b45

Download Submit
\Users\Admin\AppData\Local\Temp\ymhum.exe

Filesize
223KB

MD5
6b89df469fda689973ac92c161785fab

SHA1
dd63661ee789a4640dc219fe299fe79334ed1761

SHA256
98447350dafdb479036f34b3414a865a06c87f711bad2f139bae7396add61a15

SHA512
0b0788e8e9d9679a2599ef96ce20e1906bff504f9003155a9a5dec89eff8569fa9be98fea65ef2eacb611add7f7c67a4cbac17dc7be3ed79c46cf54662ac84fa

Download Submit
\Users\Admin\AppData\Local\Temp\ynoxpi.exe

Filesize
306KB

MD5
343bbc902d894d1ab2cad874d5f0d1f1

SHA1
586f2318d222c5791dcc40d48d676e89278f403b

SHA256
4d511d0dcd7be83e3eb35628a0ee1af4cb83c368ced784d93b62aed5667b9a09

SHA512
07fac5b0d2e816560bd04f01c633a923a50ccb5381f3f4b605fe93582e3522a093149bb194ecf6f716c4e2dcb355965715125ae589ae594973df1bc02733f9fc

Download Submit
memory/2000-66-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2000-65-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2024-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2024-32-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/2192-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2192-50-0x0000000003AF0000-0x0000000003B90000-memory.dmp

Filesize
640KB

Download
memory/2192-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-22-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2532-11-0x0000000002E70000-0x0000000002ED7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads