urelas | 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f

General

Target

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
Size

418KB
MD5

ea14eeede03624f6b152c1dc67ff963d
SHA1

e564148b241d488134c78f189950f5a512ea0902
SHA256

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f
SHA512

dd759269f1510145716d37fe53f4827f6041ef402b0f61889724d7b81896b3c5554deb350685ca79b80d43ec5e85d9617f31ecf9ae8d5e8c5926bd0f7bdde13f
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqi:eU7M5ijWh0XOW4sEfeObi

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hauto.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2720 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kadig.exehauto.exe

pid process

2544 kadig.exe
1564 hauto.exe

pid	process
2720	cmd.exe

pid	process
2544	kadig.exe
1564	hauto.exe

Loads dropped DLL 3 IoCs

Processes:

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exekadig.exe

pid	process
1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
2544	kadig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

hauto.exe

pid	process
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe
1564	hauto.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exekadig.exe

description	pid	process	target process
PID 1632 wrote to memory of 2544	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	kadig.exe
PID 1632 wrote to memory of 2544	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	kadig.exe
PID 1632 wrote to memory of 2544	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	kadig.exe
PID 1632 wrote to memory of 2544	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	kadig.exe
PID 1632 wrote to memory of 2720	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 1632 wrote to memory of 2720	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 1632 wrote to memory of 2720	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 1632 wrote to memory of 2720	1632	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 2544 wrote to memory of 1564	2544	kadig.exe	hauto.exe
PID 2544 wrote to memory of 1564	2544	kadig.exe	hauto.exe
PID 2544 wrote to memory of 1564	2544	kadig.exe	hauto.exe
PID 2544 wrote to memory of 1564	2544	kadig.exe	hauto.exe

C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
"C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\kadig.exe
"C:\Users\Admin\AppData\Local\Temp\kadig.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\hauto.exe
"C:\Users\Admin\AppData\Local\Temp\hauto.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8c26531e32478068bc2e9c31f252c2ef

SHA1
3d1813d44b9066976ae6be976629a93b5623692c

SHA256
81b824b79c7607c0e39134cf7da4a027bcd2d0dcc17de68bb6f1833b15b3e4ff

SHA512
8d25c9fd51200b76fe2f9b4c2ed1f7172c29643801542996b0e885df4d5cc932759f7b6f083218023cfb6289012f6c78d73a38bceb71bcd3d290e03c6def6086

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8df2319eb37f57f4385677115e042155

SHA1
73c2624cbb246030520ff9bde9005fab05eff2d0

SHA256
4f56f299cc68e68ed91897edb046163de70b4c2c527ed7530355a44b1ac26a2f

SHA512
d30be0b2c55439a34929cc44beb37531b6232cca007bea801d7900f236889dc6f4401572c95b51d752530cce69fb73e3be90df9269f53603e5ce59cdfe719bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hauto.exe

Filesize
212KB

MD5
acc8502d8e54d5537bce797095f9a0b4

SHA1
63bc47d389646328af24410c4e909478e6a2437c

SHA256
36915817a4420da8108b95462db005713735ade540f04d2c850a1a63fd4a47d8

SHA512
b059f3012e547aca52567bc6185b0ea2be5d01a85fb2b08a4ff5db6f9dfda862a15ed63692edd97a5a1e020b3031340b5c28b3cfcfdd2a89f9ae146e7abac853

Download Submit
\Users\Admin\AppData\Local\Temp\kadig.exe

Filesize
418KB

MD5
48ffbb42db686c2121e9d563748e5772

SHA1
946d0fb813dcc27e954638f7493154da1d6b352d

SHA256
ef29b3081bd813e2459794e9650a1a0d0e7b3b9a7d19a793058ecb5e1c0098f6

SHA512
96e11792443a34aa7d329d8729784189589f895abc76e1808cd084653c6e4fb6c86472c43deea201156808304af555b26f2d6679ae7db536e330790ffb4e168f

Download Submit
memory/1564-32-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-37-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-40-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-39-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-38-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-31-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-34-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-33-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1564-36-0x0000000000D90000-0x0000000000E24000-memory.dmp

Filesize
592KB

Download
memory/1632-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1632-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1632-6-0x0000000002BC0000-0x0000000002C25000-memory.dmp

Filesize
404KB

Download
memory/2544-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2544-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads