urelas | 2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9

General

Target

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
Size

331KB
MD5

9f46a88a877c640281978c2126dcfca0
SHA1

8af546d624e3b68876b0144b4425180c4b9b6de0
SHA256

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9
SHA512

cde030696653d34a6bf44dd92ea964094a14b1bd95b8b411e4b83c5bd60045b64dab0910e445764081c92c202b695176f1343243fb52b170c2b6cfee1d5d09c3
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisa:Nd7rpL43btmQ58Z27zw39gY2FeZh4pd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\boniy.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axruy.exeqigepe.exe2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	axruy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	qigepe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe

Executes dropped EXE 3 IoCs

Processes:

axruy.exeqigepe.exeboniy.exe

pid process

2184 axruy.exe
3656 qigepe.exe
4808 boniy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2184	axruy.exe
3656	qigepe.exe
4808	boniy.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

axruy.execmd.exeqigepe.exeboniy.execmd.exe2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axruy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qigepe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boniy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

boniy.exe

pid	process
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe
4808	boniy.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exeaxruy.exeqigepe.exe

description	pid	process	target process
PID 4752 wrote to memory of 2184	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	axruy.exe
PID 4752 wrote to memory of 2184	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	axruy.exe
PID 4752 wrote to memory of 2184	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	axruy.exe
PID 4752 wrote to memory of 4944	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 4752 wrote to memory of 4944	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 4752 wrote to memory of 4944	4752	2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe	cmd.exe
PID 2184 wrote to memory of 3656	2184	axruy.exe	qigepe.exe
PID 2184 wrote to memory of 3656	2184	axruy.exe	qigepe.exe
PID 2184 wrote to memory of 3656	2184	axruy.exe	qigepe.exe
PID 3656 wrote to memory of 4808	3656	qigepe.exe	boniy.exe
PID 3656 wrote to memory of 4808	3656	qigepe.exe	boniy.exe
PID 3656 wrote to memory of 4808	3656	qigepe.exe	boniy.exe
PID 3656 wrote to memory of 1684	3656	qigepe.exe	cmd.exe
PID 3656 wrote to memory of 1684	3656	qigepe.exe	cmd.exe
PID 3656 wrote to memory of 1684	3656	qigepe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe
"C:\Users\Admin\AppData\Local\Temp\2db435a5b735d06dc39ab8af1ff88f4518e0eb7fe596b6e922df7965c8e125e9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\axruy.exe
  "C:\Users\Admin\AppData\Local\Temp\axruy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\qigepe.exe
    "C:\Users\Admin\AppData\Local\Temp\qigepe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\boniy.exe
      "C:\Users\Admin\AppData\Local\Temp\boniy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f20a80649e363503484b52599b4bbae2

SHA1
baa779b5f6fb853c400b579522f2820fa27d8dc4

SHA256
1d1420fe8ae04feaf8639ddec9112e3ef62dfc39c0b28dfa5801570838b777f4

SHA512
c9ce1ec8e939f612a9ffe2ed49652b7ab684086fa3a733bc8cc9c2923bbaadba8207fc5eefa7bd6f9566fd37e6a0c179266b1c60e82f4956704775c9d5ac85ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d77a30cc72ba151d144f6bb92066f587

SHA1
cbeadc5ce60eb98b851a71503c397333e0eed6b4

SHA256
556f59a530c8e33bdd312884026fdefd390e091b67a0dd843542f2fa0b682b69

SHA512
b2b30fd16f693df0e7e9319b2f9476b6d583f96920b58b2a045689934451bb1eb1a4ed00700d85ff757e1d366e9af0244bb2f2beb1da7d1ff2f9ddab2d5488c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\axruy.exe

Filesize
331KB

MD5
03186d606917acc68756e7a645a8d3b2

SHA1
0849d3f5979b1dcc84276b4c976a776006049c4e

SHA256
b572555eb3ecb7db37507bd84d7aa5b85459beef2f2f105191d0bc5633f372db

SHA512
1bebd10c7c1b289e48a3d35469b0fba733460dcdafdbbaec1a36735a8d1d44ee9769caea9e0a958313c2db9a94f7b057e0b48eac1311caf8def0087d4c4938d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\boniy.exe

Filesize
136KB

MD5
115d34f9e635d30ccd6e3b2cd5cfe759

SHA1
582fc6f3c22c378a48f7315da3df2b4d184b5fb9

SHA256
e47614e7566c07022f246d119d1ff1664625105743c93b7fbcb1f7dfb89b45c8

SHA512
f7904e9c024cbbff3ec37baef05274586f915fd397c2ee2cdeb4c0243a32732cc57e720d70d077f2b39909e3dacbc04f3b6911fc79002b14be0a9f99fc557914

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ba5751f74d00f444e01ce547dfe9a9d8

SHA1
b1da753fe9ccc60855fa592f4a720131594d082f

SHA256
f8c15d9880a1270838c406a2ca962e11f62382d8991b573b69a5c787425db878

SHA512
491778375ece7a3eaf9fc616190fb4e5b9444a71ba20de0b179509008348f448f20321b0b7afd9347fac1b2ae8169dc3a9e302430a69122f12886dc1b15b9a73

Download Submit
memory/2184-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3656-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3656-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4752-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4752-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4808-41-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-38-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-37-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-39-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-44-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-45-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-46-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-47-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-48-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download
memory/4808-49-0x0000000000C40000-0x0000000000CCC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads