urelas | b4023aa399dd4f730da4f450b76e18f828aaf8d3c278bed74324907fad536335

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
Size

334KB
MD5

e03641b70bd4717d8b523aaefedf73bb
SHA1

ca8776736a7bd77b6d8fc84dcde0b9c8ff1debda
SHA256

b4023aa399dd4f730da4f450b76e18f828aaf8d3c278bed74324907fad536335
SHA512

3f97f92b9025458560c9f95f141a5218633df95bfd601102c14814a19f17c12156a5072f670f2a950f53cb52fd6b7e5828568eb4f56e70d04886156ea43258c2
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisT:Nd7rpL43btmQ58Z27zw39gY2FeZh7

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000000b23b-54.dat	aspack_v212_v242
behavioral1/files/0x000300000000b23b-41.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3036	ybkyf.exe
2608	korury.exe
2488	femis.exe

Loads dropped DLL 5 IoCs

pid	Process
2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
3036	ybkyf.exe
3036	ybkyf.exe
2608	korury.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe
2488	femis.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3036	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	28
PID 2112 wrote to memory of 3036	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	28
PID 2112 wrote to memory of 3036	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	28
PID 2112 wrote to memory of 3036	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	28
PID 2112 wrote to memory of 2740	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	29
PID 2112 wrote to memory of 2740	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	29
PID 2112 wrote to memory of 2740	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	29
PID 2112 wrote to memory of 2740	2112	NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe	29
PID 3036 wrote to memory of 2608	3036	ybkyf.exe	31
PID 3036 wrote to memory of 2608	3036	ybkyf.exe	31
PID 3036 wrote to memory of 2608	3036	ybkyf.exe	31
PID 3036 wrote to memory of 2608	3036	ybkyf.exe	31
PID 2608 wrote to memory of 2488	2608	korury.exe	34
PID 2608 wrote to memory of 2488	2608	korury.exe	34
PID 2608 wrote to memory of 2488	2608	korury.exe	34
PID 2608 wrote to memory of 2488	2608	korury.exe	34
PID 2608 wrote to memory of 2840	2608	korury.exe	35
PID 2608 wrote to memory of 2840	2608	korury.exe	35
PID 2608 wrote to memory of 2840	2608	korury.exe	35
PID 2608 wrote to memory of 2840	2608	korury.exe	35

C:\Users\Admin\AppData\Local\Temp\NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e03641b70bd4717d8b523aaefedf73bb_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\ybkyf.exe
  "C:\Users\Admin\AppData\Local\Temp\ybkyf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\korury.exe
    "C:\Users\Admin\AppData\Local\Temp\korury.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\femis.exe
      "C:\Users\Admin\AppData\Local\Temp\femis.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
44aa4b758d48421e898232e04c6cdcfa

SHA1
26b31dafe725cd4b9e0183a8dc24cfa0baf35014

SHA256
46ebcf649ac77ec09a8a4a6e1d7dd3ebdfbc6e037e076cfeedcbc7a47502a039

SHA512
73850be20c227207048b3973c4c6f7e4442d18354d0e742b229862b6fbfc7681ecc6907bc7b6f009d19d1e864b5c3db74544b46372c4f7de736993e79d0f6dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
44aa4b758d48421e898232e04c6cdcfa

SHA1
26b31dafe725cd4b9e0183a8dc24cfa0baf35014

SHA256
46ebcf649ac77ec09a8a4a6e1d7dd3ebdfbc6e037e076cfeedcbc7a47502a039

SHA512
73850be20c227207048b3973c4c6f7e4442d18354d0e742b229862b6fbfc7681ecc6907bc7b6f009d19d1e864b5c3db74544b46372c4f7de736993e79d0f6dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e42d7e55f55cb62bbc10b566b5d07e05

SHA1
ac3897a25e3dcc6ca96a9b707c3bbfb78dcf4570

SHA256
eb864b634b26ccb4ad04df845daaaf9c4d5c55f4d264943b6bab902bf9455f13

SHA512
6b461a2471daead51b1d487611343bb293c744856c84bbb9fd59e557b4e86f25d0ecf3fc1b65715415c0f3d1b346951a75de357474fbdf3fc0a24d2a83f10ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e42d7e55f55cb62bbc10b566b5d07e05

SHA1
ac3897a25e3dcc6ca96a9b707c3bbfb78dcf4570

SHA256
eb864b634b26ccb4ad04df845daaaf9c4d5c55f4d264943b6bab902bf9455f13

SHA512
6b461a2471daead51b1d487611343bb293c744856c84bbb9fd59e557b4e86f25d0ecf3fc1b65715415c0f3d1b346951a75de357474fbdf3fc0a24d2a83f10ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\femis.exe

Filesize
136KB

MD5
e7d55aec7af38e953aa2237f71e3b396

SHA1
00655df03e894f1fc8e334260b1eab59b7e57254

SHA256
2903c65159e5d888b490ca3db8a66ac879c4fa327ff1150ddb96f5ffe58d8015

SHA512
86fa56ce02fb4795e8e6cd7f55bfdeae7956f283a9e62ce619da67261ca870a4a5b977c251065ce51a8146e08f3593e3784b373348c4c51bd63267628ec89fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cee787d56271c3967f39240ff467e2b4

SHA1
e1a09128ce715a5420f487cdfdade2efaf75ec91

SHA256
cd3162ecd10121412099244fcfa8f7578516fb6dbc025ec118b7607f7c485582

SHA512
99860f4ddf2d6b845db47b0102bc143ea42c3c51dcf6b55fdc246d724e0b499545c277fa7d6ae73c8e9d3fca761c33667a1c85cefe1fd6a3e7b1c6d7a370f64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\korury.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\korury.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybkyf.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybkyf.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybkyf.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
\Users\Admin\AppData\Local\Temp\femis.exe

Filesize
136KB

MD5
e7d55aec7af38e953aa2237f71e3b396

SHA1
00655df03e894f1fc8e334260b1eab59b7e57254

SHA256
2903c65159e5d888b490ca3db8a66ac879c4fa327ff1150ddb96f5ffe58d8015

SHA512
86fa56ce02fb4795e8e6cd7f55bfdeae7956f283a9e62ce619da67261ca870a4a5b977c251065ce51a8146e08f3593e3784b373348c4c51bd63267628ec89fad

Download Submit
\Users\Admin\AppData\Local\Temp\korury.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
\Users\Admin\AppData\Local\Temp\korury.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
\Users\Admin\AppData\Local\Temp\ybkyf.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
\Users\Admin\AppData\Local\Temp\ybkyf.exe

Filesize
334KB

MD5
8bfac32e0686befedc8957297b1e637c

SHA1
21aab924cfb028d25aef6603da31468bf1177ecd

SHA256
fe524ab6dad527eaa448ebe9dc396a6579b1a8da0eb498a197a8833662974c37

SHA512
83588e38fd6cb76dead60ffcebe2b06728ec24e726273992782b6ec4a0b7754e55d2310fa848e6fadea4bb38a8ce3ed5e171c91307883c572cdafbdbea55f94b

Download Submit
memory/2112-13-0x00000000027E0000-0x0000000002838000-memory.dmp

Filesize
352KB

Download
memory/2112-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2112-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2488-58-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-61-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-57-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-66-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-55-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-65-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-64-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-63-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2488-62-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/2608-45-0x0000000002E60000-0x0000000002EEC000-memory.dmp

Filesize
560KB

Download
memory/2608-53-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2608-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2608-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3036-32-0x0000000001EE0000-0x0000000001F38000-memory.dmp

Filesize
352KB

Download
memory/3036-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3036-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download