urelas | 4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3

General

Target

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
Size

412KB
MD5

5368154c00258fc3ff4cdcde198728d8
SHA1

739a2fce2fe90bb4dd07de1c1805057b4702c90f
SHA256

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3
SHA512

d0404546c4606183ce442ad27a3d4971fea9e98443f90a8a34a2e6e2c2baedfdabcbbe74287e1e24c964166c81095e59b5fc90efd094fa7a11257bbad468ea1e
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgb:oU7M5ijWh0XOW4sEfeO8b

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\voyfy.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exeleryi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	leryi.exe

Executes dropped EXE 2 IoCs

Processes:

leryi.exevoyfy.exe

pid process

1472 leryi.exe
4804 voyfy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1472	leryi.exe
4804	voyfy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

voyfy.exe

pid	process
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe
4804	voyfy.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exeleryi.exe

description	pid	process	target process
PID 4404 wrote to memory of 1472	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	leryi.exe
PID 4404 wrote to memory of 1472	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	leryi.exe
PID 4404 wrote to memory of 1472	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	leryi.exe
PID 4404 wrote to memory of 1452	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 4404 wrote to memory of 1452	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 4404 wrote to memory of 1452	4404	4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe	cmd.exe
PID 1472 wrote to memory of 4804	1472	leryi.exe	voyfy.exe
PID 1472 wrote to memory of 4804	1472	leryi.exe	voyfy.exe
PID 1472 wrote to memory of 4804	1472	leryi.exe	voyfy.exe

C:\Users\Admin\AppData\Local\Temp\4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe
"C:\Users\Admin\AppData\Local\Temp\4e6426da25aa1bc008d7f8379b6dd0a17f0441ac3f64ec205e5740e31420edb3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\leryi.exe
"C:\Users\Admin\AppData\Local\Temp\leryi.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\voyfy.exe
"C:\Users\Admin\AppData\Local\Temp\voyfy.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
f5bd7a59ba3abf60edc51a0422614a48

SHA1
b7c1ec084994d4688b98033444dd8da8ae24ab97

SHA256
edeb4a37e910f9dcc92fb47dece92553d45f8addf35b0618e8cb4fec56b9ac63

SHA512
2fd82bc0efff667fd12a66676c11b3bd4d254613dfe7805aad1eb5d6196c47b75d686e1de6f170fbbbfd2b96e2a811786b2ba30c8b1c7912a4918e56f635790f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
66f4bfa94bb6e45916a0a966bea93b38

SHA1
da58c645e06cae60f960d1e5321ece3d4f7daf28

SHA256
0d761bac3619a61ce8c45a8b237b7bb213bc3c5ddef31cbbfe8ea159800cbb4e

SHA512
ec91c5bcd9172c858c9e2b2c57afb243553864cbeda5d8314ef52a62f1fe3542e7878f768f928a3de05900f50772c45ee66d01519be94e95f00096a36127c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\leryi.exe
Filesize
412KB

MD5
bb3f69809f46dea8aa0389ef2d49a8dd

SHA1
d0e0e2134138976e6b834df39fd1a3b9875e98ff

SHA256
455d19119f260fee4bb23699a77cbbc030c28b50d356dada83786e5b838504a2

SHA512
859ec4336ec513e53f78fa44621da0fe4c1c3f56d8c5e05a990dcf008db7504c6e8d6df2e7b45adf2cee2e71bbd2c3f0d6d83b7b71005c122ccaa25ec276c695

Download Submit
C:\Users\Admin\AppData\Local\Temp\voyfy.exe
Filesize
212KB

MD5
8ad558f5a42fa2c6c4906a2ae9cc8137

SHA1
d5ed3240fbe386438df303e120f927490d627a23

SHA256
0bc4515ea4685d45001ba22c5eea0b65ddc0863383085b76dfb155e100f0c3ed

SHA512
46a16a0e48dd9cf84eb91936f56581ac91db9c24e325047fcd41291d011adf7ebd1fcfe3b220b79377e14fcddf3356d5581b489eb098c3bbd8e17b4e38f73cca

Download Submit
memory/1472-11-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1472-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4404-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4404-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4804-27-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-25-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-28-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-26-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-31-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-32-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-33-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-34-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download
memory/4804-35-0x00000000004A0000-0x0000000000534000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads