urelas | bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5a

General

Target

bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
Size

411KB
MD5

aa97dcb39873e4a80aa2063724ee96b0
SHA1

bb5475dd2c5554a9afbdc14256fafbbec8fb0bda
SHA256

bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5a
SHA512

d9735c5123c29b148f3c47ef94b854c29649e16516d5593f5ebf1f29d1b9a0062ba5dbef6e008e1b7ba1db7e1d0c0dcb5ef60ec6ac7f3873efd9175c915288ad
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOC3l10:oU7M5ijWh0XOW4sEfeOWK

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\boapv.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2848 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

exjuc.exeboapv.exe

pid process

2296 exjuc.exe
1000 boapv.exe

pid	process
2848	cmd.exe

pid	process
2296	exjuc.exe
1000	boapv.exe

Loads dropped DLL 3 IoCs

Processes:

bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exeexjuc.exe

pid	process
1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
2296	exjuc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

boapv.exebfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exeexjuc.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boapv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exjuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

boapv.exe

pid	process
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe
1000	boapv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exeexjuc.exe

description	pid	process	target process
PID 1388 wrote to memory of 2296	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	exjuc.exe
PID 1388 wrote to memory of 2296	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	exjuc.exe
PID 1388 wrote to memory of 2296	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	exjuc.exe
PID 1388 wrote to memory of 2296	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	exjuc.exe
PID 1388 wrote to memory of 2848	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	cmd.exe
PID 1388 wrote to memory of 2848	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	cmd.exe
PID 1388 wrote to memory of 2848	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	cmd.exe
PID 1388 wrote to memory of 2848	1388	bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe	cmd.exe
PID 2296 wrote to memory of 1000	2296	exjuc.exe	boapv.exe
PID 2296 wrote to memory of 1000	2296	exjuc.exe	boapv.exe
PID 2296 wrote to memory of 1000	2296	exjuc.exe	boapv.exe
PID 2296 wrote to memory of 1000	2296	exjuc.exe	boapv.exe

C:\Users\Admin\AppData\Local\Temp\bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe
"C:\Users\Admin\AppData\Local\Temp\bfc08bf1b6de34087a1c8e7e80ac574755734dbc2ebc540f94be23355c8f6c5aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\exjuc.exe
  "C:\Users\Admin\AppData\Local\Temp\exjuc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\boapv.exe
    "C:\Users\Admin\AppData\Local\Temp\boapv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
919ee717ce10c9512526d943d900af50

SHA1
1a8a93e78aaefb771106b590015451584cda802e

SHA256
ea905a861aba1abd52fa411ba61d3a319bd3be808132e94cb1c06f14c4ba7153

SHA512
7459119293859470f7f05fe200cacd584e54c7aed6d2a25dddad9369fd877e1432a11ad22254bf9d8b5a7bc2cb38973b1e6c96785c1498a547d927354f28cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5275bfc2ff8024a2ae5eb0acfbb44418

SHA1
16dbb8d37f6a84411160a6236090049135b5fca5

SHA256
e6c49cd34fa3c42d2f8a79f12db9512f17e9b947d58135e72c030b9905d41e58

SHA512
dcbfac2afec548272dba6425c893c0cf8d2bd58d4823b5e1577b7ad07dc4627a8895096bcce73023bfea320e149044d3c0e4da7c585e8273aff7b7e2b6af1a4b

Download Submit
\Users\Admin\AppData\Local\Temp\boapv.exe

Filesize
212KB

MD5
925a4d1dd4197edd5d46e246281dcf9b

SHA1
801d352396911fa57abf0818f49f9a2d2f1f1e71

SHA256
72a6b41c4cdeb9a1751970711dfa9ebf14d53d59fc8320a79fa1f944f2f64fa3

SHA512
99130d5db11b17a14d0aa434fe0e5339645726f9abe0c82fb7609fc7cbafcf314268ae29fc141efc8ce681ab3b0c67b6c7b2d62d74043d6c15bc354d76c2885b

Download Submit
\Users\Admin\AppData\Local\Temp\exjuc.exe

Filesize
411KB

MD5
85b8da5f14dbedb02138abdeb79d8c0d

SHA1
d77df31fe9b492cb47cfe3f4a937fb234a7a93df

SHA256
c9caef10526f719dc8392f7d50dc988885c37dc22e4dc28299bb16e8d9d633eb

SHA512
0faf6a3d79740c9d560bd222cddfcc55c0d42c23140431c3265dd0f494100459f340fede22c93c58741d44b6b347639a1e3edc89e73c291522c2d7e951fecf92

Download Submit
memory/1000-35-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1000-36-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1000-34-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1000-33-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1000-38-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1000-39-0x0000000000CD0000-0x0000000000D64000-memory.dmp

Filesize
592KB

Download
memory/1388-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1388-12-0x0000000002A90000-0x0000000002AF5000-memory.dmp

Filesize
404KB

Download
memory/1388-6-0x0000000002A90000-0x0000000002AF5000-memory.dmp

Filesize
404KB

Download
memory/1388-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2296-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2296-30-0x0000000003AC0000-0x0000000003B54000-memory.dmp

Filesize
592KB

Download
memory/2296-32-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads