urelas | adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69f

General

Target

adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe
Size

426KB
MD5

d4436c7b2ad567125fcc31d3e5fec5a0
SHA1

2f3422e608160c0de0bae106fb38e0a8e6907072
SHA256

adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69f
SHA512

b9ad268e84992f5eb087f23f2dd8f19dfe0fc7f9dcf022bf31ddf91ee9dc16ff11f95c75670c58f4656cd7e052a4045380553f7d481c8869865f5b7a37548745
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsd:YU7M5ijWh0XOW4sEfeOm

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000193c4-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	xuxak.exe
800	lycoi.exe

Loads dropped DLL 3 IoCs

pid	Process
1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe
1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe
2796	xuxak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lycoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuxak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe
800	lycoi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2796	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	30
PID 1876 wrote to memory of 2796	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	30
PID 1876 wrote to memory of 2796	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	30
PID 1876 wrote to memory of 2796	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	30
PID 1876 wrote to memory of 2712	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	31
PID 1876 wrote to memory of 2712	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	31
PID 1876 wrote to memory of 2712	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	31
PID 1876 wrote to memory of 2712	1876	adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe	31
PID 2796 wrote to memory of 800	2796	xuxak.exe	34
PID 2796 wrote to memory of 800	2796	xuxak.exe	34
PID 2796 wrote to memory of 800	2796	xuxak.exe	34
PID 2796 wrote to memory of 800	2796	xuxak.exe	34

C:\Users\Admin\AppData\Local\Temp\adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe
"C:\Users\Admin\AppData\Local\Temp\adf45bdcb465df39e55615bb25b0b64c5a99f4991db8f26807afa8dc2b74b69fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\xuxak.exe
  "C:\Users\Admin\AppData\Local\Temp\xuxak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\lycoi.exe
    "C:\Users\Admin\AppData\Local\Temp\lycoi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
4186fe7141494c873eb03211bbbbbf49

SHA1
910a31ece5e45980e616bcf8b1b37be40238f316

SHA256
e92459e694ac5b53d0bcee7e65841e12c9c3380c8775f95169d340018e39d6f1

SHA512
8325dda48145ed800d2bf4c00bf5b192425d93c7cb88ba51d5a8f3d5b60f8b2dc05288c1bee32905a6ffee954629f3d48b790570266dab5f6b77b8c88432c7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f8b07d6041169b0a26c6972626d1372f

SHA1
4dee7d2e17a8b3ae367efd5681d59e7cb2569f07

SHA256
0900a06792e961495e76bcfa8c0bfe60a85ac6e949290d3aa46fab2673408a98

SHA512
e0faf36b65b26bb2f439621781606fc36161aa734b63ea6f74a0dfa6b74844659fac2144b7cc8b650ab483147a8164c18e808fa0378481a0cefe1fdf0c1019ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuxak.exe

Filesize
426KB

MD5
3e3867d2ebf417807fc7e41c76de175a

SHA1
ca78914fd66c0d916fcc8777e24622fa4916044d

SHA256
689a68ee348fc1ac72e7c48d1e5fbb80e14886f8e5f0511dc56c850e436a22e2

SHA512
c819e95e1d84e0dbe94e744084c8c71be3ec1e18e70a757d351ccb97d78a6ec03f4ef132b9881562b8fb711c5d1fc6194d9352a572f4fab4494ff49297437029

Download Submit
\Users\Admin\AppData\Local\Temp\lycoi.exe

Filesize
212KB

MD5
c8ab0b2572987b6ae39b2be2841032c9

SHA1
32b3624033bae56bbaa7de14471a206d5144189b

SHA256
230049e75f522b0977ef4e62dd52cade614410208e08491c747f5452350ac593

SHA512
815047b8f84cd092379820ae472c39bc6a798f7018405bd813d3ff71eac1a28dedcf54ae937c43e99b24eb77676b3b2ba27a613b6530da66e2761f91bb5c78af

Download Submit
memory/800-36-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/800-40-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/800-39-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/800-33-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/800-34-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/800-35-0x0000000001220000-0x00000000012B4000-memory.dmp

Filesize
592KB

Download
memory/1876-11-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1876-22-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-12-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2796-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2796-31-0x00000000033F0000-0x0000000003484000-memory.dmp

Filesize
592KB

Download
memory/2796-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing