urelas | 36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babb

General

Target

36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
Size

409KB
MD5

dd27974b04f29dd7b43ce92dae43cd90
SHA1

21ba560271aac3e1d2548a68594ad848918b92d9
SHA256

36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babb
SHA512

f29513f26c39141026d72cc15eb649d6b041aaa99d907ac7054836a8325bc0fa07b1152d687dff2d2d47031b9c7d404bc7fe7d12cad69822974daf6b0d9697eb
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOY+:eU7M5ijWh0XOW4sEfeOz

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a00000001658d-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	vecak.exe
3020	avbeb.exe

Loads dropped DLL 3 IoCs

pid	Process
2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
2152	vecak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vecak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avbeb.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe
3020	avbeb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2152	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2736 wrote to memory of 2152	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2736 wrote to memory of 2152	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2736 wrote to memory of 2152	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	30
PID 2736 wrote to memory of 2900	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	31
PID 2736 wrote to memory of 2900	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	31
PID 2736 wrote to memory of 2900	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	31
PID 2736 wrote to memory of 2900	2736	36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe	31
PID 2152 wrote to memory of 3020	2152	vecak.exe	33
PID 2152 wrote to memory of 3020	2152	vecak.exe	33
PID 2152 wrote to memory of 3020	2152	vecak.exe	33
PID 2152 wrote to memory of 3020	2152	vecak.exe	33

C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe
"C:\Users\Admin\AppData\Local\Temp\36f5ad635241a703e62e5db25b86437afa5ac3e627ad8d453d61c6af9510babbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\vecak.exe
  "C:\Users\Admin\AppData\Local\Temp\vecak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\avbeb.exe
    "C:\Users\Admin\AppData\Local\Temp\avbeb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0d4514c1d29cc90e6c386266520c81d5

SHA1
505a6c72c47b3044379da558211a2fff546da277

SHA256
4721a3f937f6452d73c2fc4e49a28d93a5b3275d8d6375f1ce7dd96fc4beadb4

SHA512
a0a6df796d9a10800e57f65b3c4a2248315e9b838e6d0f568c2ee7e13c15fcdd4e2b150acf9d46da1e919429fe442a419825e63ae9e3d5ac59297b83fe0db571

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9faff338415d52a0835d60532730fcc3

SHA1
96f4ccb55be4031fd82fd40423c3d08f6e93aa63

SHA256
36545b948468def32ac88232c9c5e4c6ce32c5954449eb4d48f1b98f8d1a7d53

SHA512
361337a9036d850028343cbb140cda353c39960a7ccab9c71d722543de013898311b6a6b83ed0f1bf90db6d8c783256a0c58ac82a9aec262d669f6a75b2442ec

Download Submit
\Users\Admin\AppData\Local\Temp\avbeb.exe

Filesize
212KB

MD5
0296fc66a977b57e3c5cfeec9da599e0

SHA1
fc5f192446a5db9fef59989500f8891595f28f10

SHA256
5088b70f27d5323c3311bf0a3646f78ec687e603fcba0854f0dca755c8523ac8

SHA512
554387461e3c2f35c0f8bd79a0c466bcac568bc35d8c1de15d626bc47e37390b754791512dafbb875a5e987ed34a42e73111d164996ac57db6a5f81051c7f318

Download Submit
\Users\Admin\AppData\Local\Temp\vecak.exe

Filesize
409KB

MD5
c65c8e6eb660a7677cd6bf48b9b00c42

SHA1
80a41ad690752a6506d4cdcf616ddf8e77b0f532

SHA256
ed2ad2657666c79bb3b1fd29758ec5a0a92c32350bca9951e79789a233e7584d

SHA512
5db438453842727042367b9da01fed24a2a9fa713be141f9d7c034a1eab6bc75f3ac551efde9a5fb4017aaea1ea426cde9cfffb0333e0b07c188996b4699e797

Download Submit
memory/2152-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2152-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2152-33-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2152-31-0x00000000035F0000-0x0000000003684000-memory.dmp

Filesize
592KB

Download
memory/2736-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2736-11-0x0000000002500000-0x0000000002565000-memory.dmp

Filesize
404KB

Download
memory/2736-12-0x0000000002500000-0x0000000002565000-memory.dmp

Filesize
404KB

Download
memory/2736-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3020-36-0x00000000000A0000-0x0000000000134000-memory.dmp

Filesize
592KB

Download
memory/3020-35-0x00000000000A0000-0x0000000000134000-memory.dmp

Filesize
592KB

Download
memory/3020-34-0x00000000000A0000-0x0000000000134000-memory.dmp

Filesize
592KB

Download
memory/3020-38-0x00000000000A0000-0x0000000000134000-memory.dmp

Filesize
592KB

Download
memory/3020-39-0x00000000000A0000-0x0000000000134000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing