urelas | 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f

General

Target

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
Size

418KB
MD5

ea14eeede03624f6b152c1dc67ff963d
SHA1

e564148b241d488134c78f189950f5a512ea0902
SHA256

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f
SHA512

dd759269f1510145716d37fe53f4827f6041ef402b0f61889724d7b81896b3c5554deb350685ca79b80d43ec5e85d9617f31ecf9ae8d5e8c5926bd0f7bdde13f
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqi:eU7M5ijWh0XOW4sEfeObi

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vykuc.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exeytbyh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ytbyh.exe

Executes dropped EXE 2 IoCs

Processes:

ytbyh.exevykuc.exe

pid process

3592 ytbyh.exe
4812 vykuc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3592	ytbyh.exe
4812	vykuc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vykuc.exe

pid	process
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe
4812	vykuc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exeytbyh.exe

description	pid	process	target process
PID 2116 wrote to memory of 3592	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	ytbyh.exe
PID 2116 wrote to memory of 3592	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	ytbyh.exe
PID 2116 wrote to memory of 3592	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	ytbyh.exe
PID 2116 wrote to memory of 4812	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 2116 wrote to memory of 4812	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 2116 wrote to memory of 4812	2116	8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe	cmd.exe
PID 3592 wrote to memory of 4812	3592	ytbyh.exe	vykuc.exe
PID 3592 wrote to memory of 4812	3592	ytbyh.exe	vykuc.exe
PID 3592 wrote to memory of 4812	3592	ytbyh.exe	vykuc.exe

C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
"C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\ytbyh.exe
"C:\Users\Admin\AppData\Local\Temp\ytbyh.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\vykuc.exe
"C:\Users\Admin\AppData\Local\Temp\vykuc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
8c26531e32478068bc2e9c31f252c2ef

SHA1
3d1813d44b9066976ae6be976629a93b5623692c

SHA256
81b824b79c7607c0e39134cf7da4a027bcd2d0dcc17de68bb6f1833b15b3e4ff

SHA512
8d25c9fd51200b76fe2f9b4c2ed1f7172c29643801542996b0e885df4d5cc932759f7b6f083218023cfb6289012f6c78d73a38bceb71bcd3d290e03c6def6086

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
b488cb3effe224a95bbff92e46e161e4

SHA1
c4a9802262320010a33f50d91360fc1741e40b26

SHA256
07b46b14f6975c78c70ac5a15acf547cf78b8980d071d269a5f125a4a5fa5bf8

SHA512
306b5f450bf2f18fd88f49ddb92485157e4d975f79594437d0418f1ee3d215ba4042c227619577e090a1c3900b3f6472a9537346417885d5440bbad13203ce6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vykuc.exe
Filesize
212KB

MD5
afad66a31abdf2f911d64106ea1ca1eb

SHA1
5a273bb8396406153f7339a6e4dc88e9d53641a9

SHA256
68b0596b6627284340cf4889d3b463a1185625a4a981fd38524f2a69ae9801ea

SHA512
5bc34e657ba098ef06ca29e48b3810ab0639b2d2b044c0b150d0d9e6a7e79c9563ba2035e3854e02de5e6c6c793877cd279b9328a46563aae2c212ec5f18dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytbyh.exe
Filesize
418KB

MD5
78e42ee96bcf638bb636c7d4f0ece3af

SHA1
646d2a2b68e537e34d5f2a181ce51bfb15c0ff46

SHA256
c1c40cb0e6ea850b3d023bdef9347c4b38c0172c2f75ab4919a1d6b76b2f6328

SHA512
bb45ea4f9a96168114db2071b7cd40ab6a27b8b0e0bf0fbedc96e251c9db22b28c0714fb7fffc9cf1b4700ab3e0dd4c6794cf88fb191fb93cb63e671945bdccc

Download Submit
memory/2116-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2116-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3592-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4812-27-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-23-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-26-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-25-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-30-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-31-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-32-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-33-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download
memory/4812-34-0x0000000000A10000-0x0000000000AA4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads