urelas | c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c

General

Target

c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
Size

422KB
MD5

e41a7d87cf5e5af616c4d7f9413d26f0
SHA1

6bf09e6e60b144977d346439cf215c4bea40b510
SHA256

c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c
SHA512

21b5864632119ae429484b9e7fa3ba75fc0d4354fe99b404118d7a7f0ff5379664299b729d27de7edd35334604e3bfa1e2c97eec8303c0a05b2c6a43dff6d8fc
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqI:eU7M5ijWh0XOW4sEfeObI

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000900000000f6f2-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	kupof.exe
1632	loade.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
2980	kupof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe
1632	loade.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2980	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	28
PID 2208 wrote to memory of 2980	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	28
PID 2208 wrote to memory of 2980	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	28
PID 2208 wrote to memory of 2980	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	28
PID 2208 wrote to memory of 2508	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	29
PID 2208 wrote to memory of 2508	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	29
PID 2208 wrote to memory of 2508	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	29
PID 2208 wrote to memory of 2508	2208	c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe	29
PID 2980 wrote to memory of 1632	2980	kupof.exe	33
PID 2980 wrote to memory of 1632	2980	kupof.exe	33
PID 2980 wrote to memory of 1632	2980	kupof.exe	33
PID 2980 wrote to memory of 1632	2980	kupof.exe	33

C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
"C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\kupof.exe
  "C:\Users\Admin\AppData\Local\Temp\kupof.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\loade.exe
    "C:\Users\Admin\AppData\Local\Temp\loade.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0b10cd83fd8a55a75fe654db12d752ce

SHA1
0e4f27159346b32adb6e64b18f4128cca9dd9a17

SHA256
71d35ffeb3d91026463f07dfad70192e2601d70d9028f45daf3e4e9113063dab

SHA512
623b5b07298e0393125fd5fd7bf54eae05c756a72a895a0b7d537075116bd92287ff0f5e6367679feba83b1677375c5aaa16817f85e37303f37fb348b914b4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
feacce948641da50752e1a5ddda532b6

SHA1
65d59203c2795f061c99aa4cf436c1f43c33bcb9

SHA256
2404a4d4e975d411748078b5a3690263b5b62cff897c60b6083f63e6c3f23cdc

SHA512
dbe17dee8238fa4baa36d3bb5dc257df6bddad2fdb8a94d3917df79892aefdd91d086abe041ad71d3022f831cd731e9ac305fcfe258ad6ab876b91fbb8330d62

Download Submit
\Users\Admin\AppData\Local\Temp\kupof.exe

Filesize
422KB

MD5
89a14c3c1b8f7dfe11b21009b752daf5

SHA1
0769c6bc031877ed85f0f0782ff55887aee361de

SHA256
ed1a74179a74b4e74e7a237143baed6da69560d9b87292dd9fa4d91cc613c1c6

SHA512
1d279cb9c31e6be703678161396e562f3836d093810824efe2835b3d4dd9476c18460581a4d57816c04d989fc00245e006d8f1fea85e805a86bb0199c57cfd74

Download Submit
\Users\Admin\AppData\Local\Temp\loade.exe

Filesize
212KB

MD5
52cdd44c07acbd9283416d948f64ea33

SHA1
f4094c1f27c5fdfad782ef223a81e4dd3afcdd0a

SHA256
c6eb196b4ff63104bc4d4410fd83bf51e38dec0b70a40dba267e5eece49b1b4d

SHA512
fdcf85ec810594065446dc3bfdc8dec1a5b81ed9faa21e4441e001d87e168e2c5b4a4c84cc45396f00e091d70d4165c2e286269545838f1063a610ba957daec9

Download Submit
memory/1632-34-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-40-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-39-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-38-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-37-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-33-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/1632-35-0x0000000000DE0000-0x0000000000E74000-memory.dmp

Filesize
592KB

Download
memory/2208-11-0x0000000002830000-0x0000000002895000-memory.dmp

Filesize
404KB

Download
memory/2208-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2208-19-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2980-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2980-28-0x0000000001F90000-0x0000000002024000-memory.dmp

Filesize
592KB

Download
memory/2980-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing