urelas | b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9

General

Target

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
Size

331KB
MD5

a19061efa0ec169b8185848b9cd64970
SHA1

a66e713f8e8a839ea26521c0bd919f3bcd3b9c34
SHA256

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9
SHA512

dca58cabf92c1eb225c87a7f377aae5a52cc081779567a5d042c2c174a3bc15d520df8e45afd5f5d051437dbb3a59e4a2a4b4f82f5c8154b0470687804883b8d
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisn:Nd7rpL43btmQ58Z27zw39gY2FeZh4A

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fifyd.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2008 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

rufot.exegenooz.exefifyd.exe

pid process

2236 rufot.exe
2648 genooz.exe
1456 fifyd.exe

pid	process
2008	cmd.exe

pid	process
2236	rufot.exe
2648	genooz.exe
1456	fifyd.exe

Loads dropped DLL 5 IoCs

Processes:

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exerufot.exegenooz.exe

pid	process
2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
2236	rufot.exe
2236	rufot.exe
2648	genooz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

genooz.execmd.exefifyd.exeb4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exerufot.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	genooz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fifyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rufot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

fifyd.exe

pid	process
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe
1456	fifyd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exerufot.exegenooz.exe

description	pid	process	target process
PID 2464 wrote to memory of 2236	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	rufot.exe
PID 2464 wrote to memory of 2236	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	rufot.exe
PID 2464 wrote to memory of 2236	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	rufot.exe
PID 2464 wrote to memory of 2236	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	rufot.exe
PID 2464 wrote to memory of 2008	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	cmd.exe
PID 2464 wrote to memory of 2008	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	cmd.exe
PID 2464 wrote to memory of 2008	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	cmd.exe
PID 2464 wrote to memory of 2008	2464	b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe	cmd.exe
PID 2236 wrote to memory of 2648	2236	rufot.exe	genooz.exe
PID 2236 wrote to memory of 2648	2236	rufot.exe	genooz.exe
PID 2236 wrote to memory of 2648	2236	rufot.exe	genooz.exe
PID 2236 wrote to memory of 2648	2236	rufot.exe	genooz.exe
PID 2648 wrote to memory of 1456	2648	genooz.exe	fifyd.exe
PID 2648 wrote to memory of 1456	2648	genooz.exe	fifyd.exe
PID 2648 wrote to memory of 1456	2648	genooz.exe	fifyd.exe
PID 2648 wrote to memory of 1456	2648	genooz.exe	fifyd.exe
PID 2648 wrote to memory of 2032	2648	genooz.exe	cmd.exe
PID 2648 wrote to memory of 2032	2648	genooz.exe	cmd.exe
PID 2648 wrote to memory of 2032	2648	genooz.exe	cmd.exe
PID 2648 wrote to memory of 2032	2648	genooz.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe
"C:\Users\Admin\AppData\Local\Temp\b4b89f29c68b5ee55bcd9e33db0abb2ab5a1c9ca787ccbfbf7790974c1f0f7b9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\rufot.exe
  "C:\Users\Admin\AppData\Local\Temp\rufot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\genooz.exe
    "C:\Users\Admin\AppData\Local\Temp\genooz.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\fifyd.exe
      "C:\Users\Admin\AppData\Local\Temp\fifyd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
5e89e6d675c60a47ed8e6a7e0a424109

SHA1
4bfa84c0181591fb336eaea476094a9e385abb17

SHA256
33396f80da0f4e3789ef789a5ea42c7d1db0554140c9a2881aca5f0abff707c1

SHA512
f406c55180a85b96498cd746ecfefa94fb50bc96cdc17492e5bd5356da6ce1cbac2b164890092929e36939cce37533b7e2072711acf913ada48d7311e650776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f6f6eb516e43f392a979a54540c30cbb

SHA1
e2eea21a43fe267c706873009b2aed429540ae3d

SHA256
3627f3a3ebd3053f7b0abe788008cec6025940e84ccc2e7ae8be93c902df1ed1

SHA512
e42756eab10fde20489c46c630e42e54f666a2914b90773eef6a45639a04ffe5c2eb1d39eb2b30dfed8fb0812077ef5f386e436129b519bd04d326c19f2220a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fifyd.exe

Filesize
136KB

MD5
3bee509a4077ec8b36ff8de6766afd5d

SHA1
a088576e4df26c2542302a85c90635515171b6b2

SHA256
86272924242d1dbb0d4a51762bbf08bf38f0929221886c703e9c2f5f5887525f

SHA512
bbe9ac49295a9f7033f744c9b2f7878b530bfcd05c0164a4d4c8202a2ece8e6d681795b8628559add8e3bbe6ebf043bab4280a988c8a559cf15e3fce7f9b2a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aeaf2735823598158243be761aa7bef4

SHA1
bc75ce4897095b01689bd29eb1c528d22e4a23c2

SHA256
b9f52f33d1848eeef052469bab97acc2c59eec6f59faa7eec97ebdb837411597

SHA512
cd71768be33f3f1b60570f74da3634be5d3e793411716cf87b7b556a768209e0b4977c06d108164c942c1c792c7b2f8f937ab498759bb0007854ceb7a9e70490

Download Submit
\Users\Admin\AppData\Local\Temp\rufot.exe

Filesize
331KB

MD5
c62dec2e3fc335cc54bad917c2a73608

SHA1
c53c9ae6dc35edbea22147b82a0f823a4900216b

SHA256
2689e8753cfcec246058fe954f4262ac629865330c5d5dc00cfd16d27b354cf9

SHA512
50da02f15fec2a6f9f8fa92e84b579c153e4828c6dde6cd3f524e5afacf5d9d4ebb2fe712c788e63be15d803e620d9eaefca015134f6563d4fee37757f48393d

Download Submit
memory/1456-46-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-62-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-61-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-60-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-47-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-56-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/1456-45-0x0000000000B60000-0x0000000000BEC000-memory.dmp

Filesize
560KB

Download
memory/2236-31-0x0000000002060000-0x00000000020B8000-memory.dmp

Filesize
352KB

Download
memory/2236-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2236-32-0x0000000002060000-0x00000000020B8000-memory.dmp

Filesize
352KB

Download
memory/2464-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2464-11-0x0000000002E10000-0x0000000002E68000-memory.dmp

Filesize
352KB

Download
memory/2464-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-55-0x0000000003A00000-0x0000000003A8C000-memory.dmp

Filesize
560KB

Download
memory/2648-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads