urelas | 0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09

General

Target

0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
Size

413KB
MD5

315da296cc2c81f10c9e137b6b316320
SHA1

5fe9a2de322dcf39ce2bd1562460d79535d15db0
SHA256

0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09
SHA512

aa26148c3e82a12294fd9449cc0194cd7d283341c5a4b1f284b8fdcf16355fd2eab64fbd655084b9461234d6193ec374f88599c9be84241e1f5ab0325c31a189
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsz:hU7M5ijWh0XOW4sEfeOy

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-31.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1660	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	koguf.exe
2976	quuco.exe

Loads dropped DLL 3 IoCs

pid	Process
2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
2292	koguf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koguf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quuco.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe
2976	quuco.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2292	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	28
PID 2468 wrote to memory of 2292	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	28
PID 2468 wrote to memory of 2292	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	28
PID 2468 wrote to memory of 2292	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	28
PID 2468 wrote to memory of 1660	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	29
PID 2468 wrote to memory of 1660	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	29
PID 2468 wrote to memory of 1660	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	29
PID 2468 wrote to memory of 1660	2468	0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe	29
PID 2292 wrote to memory of 2976	2292	koguf.exe	33
PID 2292 wrote to memory of 2976	2292	koguf.exe	33
PID 2292 wrote to memory of 2976	2292	koguf.exe	33
PID 2292 wrote to memory of 2976	2292	koguf.exe	33

C:\Users\Admin\AppData\Local\Temp\0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe
"C:\Users\Admin\AppData\Local\Temp\0a2a211a254a6117a852d49f53b8b230aa9c3c0a8edcc7f36b489e1456f58d09N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\koguf.exe
  "C:\Users\Admin\AppData\Local\Temp\koguf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\quuco.exe
    "C:\Users\Admin\AppData\Local\Temp\quuco.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8700b1a288ce7c6a0a12306d1c04ad7d

SHA1
88e89f0fd50791152eb1321891acc399be02b845

SHA256
ae8c43a0e815ac53073c97749129abad18c566ec01b4f4177ffc03b754b8a25b

SHA512
3c5efbdf8d176d4c15a80b5cfac8898721593c5e56ebe157e4edca4b77afea418d31dea5e30e6364881f64d23baad8e5a4a8e8da032c870cc8dff2625a5fc352

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e73cb53c3795799718f8b5342fd07d85

SHA1
de0a56331495ad106b8261f7d26dc296103f5a7a

SHA256
0456d36bc604ece6b66f9f75308fb23c35c37d05b6a363e22cfa1b7c0218afeb

SHA512
bfcf0e6b0585a8c2aeb15e52ce42912bbb1ff2d82c9ff3a281466e99e6b41a2de19091ec53c45c15bc0c341c335225c8bd8f012ed121cbf76d2ea7a354de6511

Download Submit
C:\Users\Admin\AppData\Local\Temp\quuco.exe

Filesize
212KB

MD5
3fa69c9586d77d1a8e5138d94a847969

SHA1
7c0d1fb657e39a0d84c6aadb8caa3f10fa846c49

SHA256
ed79f7782eaa6190d46863d551894fe30f6160da151ab4a4d4032043b35df23c

SHA512
84978290080bccacacab68022a0457d9a1cad141344f66cc02ddcb4078dc1e4b4712be371ea79c6d05b6ed63ea5831a686651b9484b78128093fcf261c7a462d

Download Submit
\Users\Admin\AppData\Local\Temp\koguf.exe

Filesize
413KB

MD5
66974a061892aa167468182dbd346e36

SHA1
ea4291c4a80efefd2a4ae1c757e23bb88f8052c6

SHA256
b87690c1232ab5ea584eb7dd5a51d6f692b1980785f84ce68e0120afc1229127

SHA512
890ed91604c57679554547cbe74d95883217f9526546cc80666c917809e45c34b92ace35965bf9690a9e866f781035831b7443528086df9e5006152d4ea98d21

Download Submit
memory/2292-29-0x00000000020E0000-0x0000000002174000-memory.dmp

Filesize
592KB

Download
memory/2292-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2292-23-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2292-30-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2468-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2468-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2976-32-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download
memory/2976-33-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download
memory/2976-35-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download
memory/2976-34-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download
memory/2976-37-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download
memory/2976-38-0x0000000000B00000-0x0000000000B94000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing