urelas | 3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48e

General

Target

3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
Size

427KB
MD5

e648b0635d12efb3ec00cab6d95b8e40
SHA1

828a988cc7fe85f2d99a8e4d3eee765ecc50d5c4
SHA256

3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48e
SHA512

b61eb200dbc3b4fa2a133f31575d91a182fc37b5906306a1f1678bd2f8101581604a7c36e5c2a278180b6350e7d0ed3367a9efabf502a3c1b8a6fb18674844f5
SSDEEP

6144:EKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKG:vANxU3VH1t19MsAlpXZ

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kyabs.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

xojas.exekyabs.exe

pid process

1284 xojas.exe
2840 kyabs.exe

pid	process
2836	cmd.exe

pid	process
1284	xojas.exe
2840	kyabs.exe

Loads dropped DLL 3 IoCs

Processes:

3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exexojas.exe

pid	process
1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
1284	xojas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exexojas.execmd.exekyabs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xojas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyabs.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

kyabs.exe

pid	process
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe
2840	kyabs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exexojas.exe

description	pid	process	target process
PID 1832 wrote to memory of 1284	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	xojas.exe
PID 1832 wrote to memory of 1284	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	xojas.exe
PID 1832 wrote to memory of 1284	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	xojas.exe
PID 1832 wrote to memory of 1284	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	xojas.exe
PID 1832 wrote to memory of 2836	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	cmd.exe
PID 1832 wrote to memory of 2836	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	cmd.exe
PID 1832 wrote to memory of 2836	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	cmd.exe
PID 1832 wrote to memory of 2836	1832	3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe	cmd.exe
PID 1284 wrote to memory of 2840	1284	xojas.exe	kyabs.exe
PID 1284 wrote to memory of 2840	1284	xojas.exe	kyabs.exe
PID 1284 wrote to memory of 2840	1284	xojas.exe	kyabs.exe
PID 1284 wrote to memory of 2840	1284	xojas.exe	kyabs.exe

C:\Users\Admin\AppData\Local\Temp\3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe
"C:\Users\Admin\AppData\Local\Temp\3c1148435fea0e979e87c9d93c29f9ee685a8cfca063bc25e78e929ee332e48eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\xojas.exe
  "C:\Users\Admin\AppData\Local\Temp\xojas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\kyabs.exe
    "C:\Users\Admin\AppData\Local\Temp\kyabs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
880dbeb79cd26cd0cff5c79b950bc855

SHA1
9f3e1ea7bae694c9d1efb10c92996357ad094bc5

SHA256
4a3a8a623aca8fafb6d49d51e48da54155c0c58fea7967413f9134ed2db28000

SHA512
05cde8764a19e3e8d9ca4e657f5e7e30272a5d4e58d44d34a0e209a4023c83a64b2980156bc5d30510438b2d7b107b939a286e4f8fc0c73a8798bebda17f739d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
06bb4d3de96d362c1871f696756962c8

SHA1
7b2107f541f463d9f6d243000324369a7079c719

SHA256
257d63aaeb91f07294d7b64ce97719cbd1c922e803aee7cd8106ed3f32e276fe

SHA512
b0ac71a249605fa0ca99caabacc0f4b047e1256175e1caa3012aad983261d6c31ab218145b95d28016d8cd8a8ad86e27a2ae848a3bbab3dd322ed7415d56417c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xojas.exe

Filesize
427KB

MD5
2c5f60d8da4b48e3a8ffc55f25945565

SHA1
d30bff3ff8e56eb938142616877c0b4ab94151cf

SHA256
ee1c36d29df7260cb8d29c381bbda0e7d1b6c19a59eb39c558c229f67d751e33

SHA512
eea2f90f457b60232796988417a1c923f65f86934e7cfb291ddbcbca08b1748035a27042ef694e99222f0a79f24083d18464a65b260fa22791bbab66402a7762

Download Submit
\Users\Admin\AppData\Local\Temp\kyabs.exe

Filesize
216KB

MD5
a983f7b5dab085f17a00ed5da009dd13

SHA1
4201a8af501e005bee4a352e96ec8948c9733a1b

SHA256
0cce80b710a464a4ed736bffbc81d589508d4c9855be0023d701d832e18e7466

SHA512
5acda00e2e1e014fcbab02836767b61d8f94d374f3d63fb85e1294c73326e451449d9d7ee48234a01bd76e566c996d1eceefba6c39e6d5d4b2a00e4a4e134558

Download Submit
memory/1284-31-0x00000000036A0000-0x0000000003742000-memory.dmp

Filesize
648KB

Download
memory/1284-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1284-21-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1284-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1832-24-0x0000000002460000-0x00000000024C8000-memory.dmp

Filesize
416KB

Download
memory/1832-20-0x0000000002460000-0x00000000024C8000-memory.dmp

Filesize
416KB

Download
memory/1832-19-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1832-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2840-34-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download
memory/2840-37-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download
memory/2840-35-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download
memory/2840-36-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download
memory/2840-39-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download
memory/2840-40-0x00000000012F0000-0x0000000001392000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads