urelas | 03ab57357de3b46523fbb9d061e6d1fe79fbca1158c8de37664da659c90aa088

General

Target

a9924cfd3a9eb9696e6a774efab3ca10N.exe
Size

1.8MB
MD5

a9924cfd3a9eb9696e6a774efab3ca10
SHA1

e73359d508659e40d61439eb1512a771111f8bea
SHA256

03ab57357de3b46523fbb9d061e6d1fe79fbca1158c8de37664da659c90aa088
SHA512

c65f152d44846c75d8af3574a858870a078aeef23416fdabddf6a9c1b2f74442feed14c4f8abbd7ac0ca949fa2e7fc945ee9beb860a39c42323c1ed89ed692d9
SSDEEP

49152:ID3ZrSCi2SbXcJZKFRFW9mimvuhmQDh1n/noFPvSmZtimZU3uvrJT:qgCi2CXnFRFW9mimvuh1DcFSmZtxZU3y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\zegeb.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2820 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

keowu.exezegeb.exe

pid process

2844 keowu.exe
2740 zegeb.exe
Loads dropped DLL 2 IoCs

Processes:

a9924cfd3a9eb9696e6a774efab3ca10N.exekeowu.exe

pid process

2316 a9924cfd3a9eb9696e6a774efab3ca10N.exe
2844 keowu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2820	cmd.exe

pid	process
2844	keowu.exe
2740	zegeb.exe

pid	process
2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe
2844	keowu.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zegeb.exea9924cfd3a9eb9696e6a774efab3ca10N.exekeowu.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zegeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9924cfd3a9eb9696e6a774efab3ca10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keowu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

zegeb.exe

pid	process
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe
2740	zegeb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a9924cfd3a9eb9696e6a774efab3ca10N.exekeowu.exe

description	pid	process	target process
PID 2316 wrote to memory of 2844	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	keowu.exe
PID 2316 wrote to memory of 2844	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	keowu.exe
PID 2316 wrote to memory of 2844	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	keowu.exe
PID 2316 wrote to memory of 2844	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	keowu.exe
PID 2316 wrote to memory of 2820	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 2316 wrote to memory of 2820	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 2316 wrote to memory of 2820	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 2316 wrote to memory of 2820	2316	a9924cfd3a9eb9696e6a774efab3ca10N.exe	cmd.exe
PID 2844 wrote to memory of 2740	2844	keowu.exe	zegeb.exe
PID 2844 wrote to memory of 2740	2844	keowu.exe	zegeb.exe
PID 2844 wrote to memory of 2740	2844	keowu.exe	zegeb.exe
PID 2844 wrote to memory of 2740	2844	keowu.exe	zegeb.exe

C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\a9924cfd3a9eb9696e6a774efab3ca10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\keowu.exe
  "C:\Users\Admin\AppData\Local\Temp\keowu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\zegeb.exe
    "C:\Users\Admin\AppData\Local\Temp\zegeb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
278B

MD5
f4e8084f3a12fa955e6eab09955e87b3

SHA1
af17fbea88d60d6959e2e2714651c21f6c4726d9

SHA256
1e9e90365f77e3cea2c074d22270608ebe8807b741de3d0f3826e8abe2f095e3

SHA512
5e93d47e88daa7af3da27db90c8d674f388535f57a77135b14e0666027c0b39847146769d272be0bcf6660927919119edfb26a410d106da9c3baf3fc10bcc585

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aafa8acfb7301b760365272a69beee9d

SHA1
68b6a066c7df82cd9a1f92d8759fb4e5d1147691

SHA256
83bb0813826d4edcafeecb6fc09eab8229c2c1fb4fd4253e0e91724db9101c35

SHA512
ffa384661427652e5e766796ae4966fa4359460e9b83f1dd3530e25c119593739d2aee7aba9fdde66c715f62f6e31caec1d6905ec7ccf8253a25ff34dd6c0973

Download Submit
\Users\Admin\AppData\Local\Temp\keowu.exe

Filesize
1.8MB

MD5
31835a38f2f57f9aba4df315e19b67e8

SHA1
d3c1e94e22c107b8690b93ee876a1b9a80dbe680

SHA256
d0900eb4eae0b6fff00effe0d85d5aa55f7944647c8f71ee2ac8451cff73dda9

SHA512
8d5d766983c4c152ab67123dca811515693b90b8213c5f6c52efc3bd9ffaaa2293c57533b13d8086aaf8af5f4760da2acc346203adb0e197e4246c3e6141177d

Download Submit
\Users\Admin\AppData\Local\Temp\zegeb.exe

Filesize
210KB

MD5
259e7564efda7167dd5d02f0ff53efb6

SHA1
07177dd8592a4f154ec753a16aeffd0d1ca24026

SHA256
899b17b10466aa54ef55bb614c1b0eb1e6e6deff94332aac076fb3c33f9c6a9c

SHA512
ae383eff91f651b11aab30bf613ab72c393a72f423734daa6dff413014f6b0f6323cd620b2c525cf169db5d873471a1770b5eb423b0f3e8f5ee4edf92cf90df1

Download Submit
memory/2316-0-0x0000000000AB0000-0x0000000000C7E000-memory.dmp

Filesize
1.8MB

Download
memory/2316-17-0x0000000000AB0000-0x0000000000C7E000-memory.dmp

Filesize
1.8MB

Download
memory/2316-15-0x0000000002BE0000-0x0000000002DAE000-memory.dmp

Filesize
1.8MB

Download
memory/2740-28-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2740-31-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2740-32-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2740-30-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2740-34-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2740-35-0x0000000001350000-0x00000000013E3000-memory.dmp

Filesize
588KB

Download
memory/2844-26-0x0000000003250000-0x00000000032E3000-memory.dmp

Filesize
588KB

Download
memory/2844-18-0x0000000000AB0000-0x0000000000C7E000-memory.dmp

Filesize
1.8MB

Download
memory/2844-29-0x0000000000AB0000-0x0000000000C7E000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads