urelas | f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273

General

Target

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
Size

332KB
MD5

5c4df1da18e57a71efdf938e40d62efd
SHA1

cf6f8ada5a361b75ab2a82ec0856363f26e4fbda
SHA256

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273
SHA512

866633d215a632f5b91511077c9efb3085fe818168d7d0fdb472b9bcb229392e9dcbca302b0dbdd16e20d27619514dea28e63e551d680a0d6fec142ed6632d41
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisq:Nd7rpL43btmQ58Z27zw39gY2FeZhmz3

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ekbuf.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

leceze.exef2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exeuzfyg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	leceze.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	uzfyg.exe

Executes dropped EXE 3 IoCs

Processes:

uzfyg.exeleceze.exeekbuf.exe

pid process

4088 uzfyg.exe
2372 leceze.exe
2464 ekbuf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4088	uzfyg.exe
2372	leceze.exe
2464	ekbuf.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

uzfyg.execmd.exeleceze.exeekbuf.execmd.exef2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzfyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leceze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekbuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

ekbuf.exe

pid	process
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe
2464	ekbuf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exeuzfyg.exeleceze.exe

description	pid	process	target process
PID 4156 wrote to memory of 4088	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	uzfyg.exe
PID 4156 wrote to memory of 4088	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	uzfyg.exe
PID 4156 wrote to memory of 4088	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	uzfyg.exe
PID 4156 wrote to memory of 2044	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 4156 wrote to memory of 2044	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 4156 wrote to memory of 2044	4156	f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe	cmd.exe
PID 4088 wrote to memory of 2372	4088	uzfyg.exe	leceze.exe
PID 4088 wrote to memory of 2372	4088	uzfyg.exe	leceze.exe
PID 4088 wrote to memory of 2372	4088	uzfyg.exe	leceze.exe
PID 2372 wrote to memory of 2464	2372	leceze.exe	ekbuf.exe
PID 2372 wrote to memory of 2464	2372	leceze.exe	ekbuf.exe
PID 2372 wrote to memory of 2464	2372	leceze.exe	ekbuf.exe
PID 2372 wrote to memory of 1460	2372	leceze.exe	cmd.exe
PID 2372 wrote to memory of 1460	2372	leceze.exe	cmd.exe
PID 2372 wrote to memory of 1460	2372	leceze.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe
"C:\Users\Admin\AppData\Local\Temp\f2b985ac56833c571839097b3c82afe2e11b43eb2dadda04844e6d63d1377273.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\uzfyg.exe
  "C:\Users\Admin\AppData\Local\Temp\uzfyg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\leceze.exe
    "C:\Users\Admin\AppData\Local\Temp\leceze.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\ekbuf.exe
      "C:\Users\Admin\AppData\Local\Temp\ekbuf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b722de107bc5578e06db77458d4c3ce7

SHA1
02a959e32ff9df2770fddbe451774a4d25fd2dde

SHA256
abadec20cc4cc8efd5c9b609d9f23dd7640fede47d75d0f84d411e5cdde372dd

SHA512
d2bc21838cca678a40fb189a7a1e084510a0b88cdcc2f73a077c5c6d86e6c68e955bd74f413c1fbb3b95f58a4095b53308286e3e6bcac123debd2a1093efbb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
47dc7a732156b403ca0a12d9d5bee20f

SHA1
3e0ae0b28a40825edf05e7fab0b82e30186efeb1

SHA256
32de4e314c03eea206a03270e0880fa0d093978b808ef2118c75f891f9803890

SHA512
5585243b21f28f8373435f0d438585f8145fc9e8e83ba361f51e488a2b7999c8208125b9a984072d363b94467db29d0594ce50b5e035e5e388244b2b80b68693

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekbuf.exe

Filesize
136KB

MD5
24b1873e311d0b4179fa585e0c93f723

SHA1
6e31df458c1ffcc019f6e365e9dd8db7dd5ef69f

SHA256
59b4c7efb1d24753b1aa0868bd595cfb66eb4e48edef4270db33a6a761c14f36

SHA512
a19d73c47e088bc8d9dd2f22f1f4edba3ea97138b540b9268db7bab5c5908722ccdfab78c60387d290528d0c1d468c1a3d7efa32e5b24d8ad967b531cec7d624

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a39d198fb816c0fb8acd9f9edf303822

SHA1
2e2a434afd2481de49bf447e2a5dd033b7e12654

SHA256
58a110714441400ad03eb28ed40d375ee270e43203b9c6b04b03ba76a5c1726f

SHA512
5c99fe27b551d56e97af6a2bc3b43b5089f11cd7012b5468e4f494466921485f8e56f3d7458c083a1beefb97a3b49b3c04cd7ebc5e4b6fb7c1a66fd41612ecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzfyg.exe

Filesize
332KB

MD5
de45791e732526316ef285d2c2541a83

SHA1
7b322dfdd277dcfab06434de801774afe2191a89

SHA256
777c9913bd4f8ba73d704cb5f07475f5aa09d0399f5a0f0d92d6ac82bfa8ba9d

SHA512
1f36794e6485f8b5793f185792f8135abf76a7f4de51c4e7621b1c191c100a670d63b7c5c38ca65dddc0c77a5778ac5d408bf027ce12dbc39f5ca1c171339151

Download Submit
memory/2372-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2372-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2372-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2464-39-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-37-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-40-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-38-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-45-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-46-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/2464-47-0x0000000000120000-0x00000000001AC000-memory.dmp

Filesize
560KB

Download
memory/4088-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4156-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4156-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads