urelas | 0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93

General

Target

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Size

636KB
MD5

11886b65ec7637fd092d18acbdb6661e
SHA1

65059e8ab7c5fd4bf00178d12515e782b11de4e0
SHA256

0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93
SHA512

1b1dd22af551fc35d760b0bfa1cb65057047e8d9ca73a7d8cc3d2c6ff343df5e5cce57a9e0e0e4d5c940102c68588ccc0a05a7ff96d96c12ba2f9508b55bb136
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsJ:RUowYcOW4a2YcOW4C

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ylcyu.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	ylcyu.exe
1208	ubsya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylcyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubsya.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe
1208	ubsya.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2900	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	86
PID 4028 wrote to memory of 2900	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	86
PID 4028 wrote to memory of 2900	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	86
PID 4028 wrote to memory of 3964	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	87
PID 4028 wrote to memory of 3964	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	87
PID 4028 wrote to memory of 3964	4028	0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe	87
PID 2900 wrote to memory of 1208	2900	ylcyu.exe	105
PID 2900 wrote to memory of 1208	2900	ylcyu.exe	105
PID 2900 wrote to memory of 1208	2900	ylcyu.exe	105

C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe
"C:\Users\Admin\AppData\Local\Temp\0e2534baa7b6e1159cf1bd36cc86c465dbaf527076cd8d673a0843463d7d1c93.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\ylcyu.exe
  "C:\Users\Admin\AppData\Local\Temp\ylcyu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\ubsya.exe
    "C:\Users\Admin\AppData\Local\Temp\ubsya.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2cf691e9fc741cf4bb9d4f9df3c5c0ec

SHA1
0f867a28088558ed0780a6ec6a0f81809687bc6d

SHA256
53698a9391ae197505b586dad042c2ecf0b91f75aa0a8fb78de8589e31df1d7e

SHA512
71d38fd1282364dad572e9d71d63832043735d12efd0fca2bc084f5476b77d5f39055607726ba0ec0bd5c36f35d88fb1f548b4e50723bb2ed9604bb00b0e77af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c79b95ee2e056b1aa420f30e52afb750

SHA1
bacf17139a6b78c349f9435dd08e0d86acb7b6ea

SHA256
a144b71dba345a73d6a0723296c80ab42f1a822ae4af58eca438bbae4f6daeb0

SHA512
41e69ffad79393069d95e7117d6cc95d2c2cf7bc0388fcadd0263c72a1feb2d0353a1994c89837a7b88c0a28356c582f3daa34e017d6df803354400695ec9575

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubsya.exe

Filesize
212KB

MD5
5130b9adcbf2c9c832bce7ca2a68905e

SHA1
a540d0fc4f71ad2efce44c4c44b5e25a9bee4d6a

SHA256
b43d10af8b77f28e1ba8421432399f962961355923245d8afa678c28f797135e

SHA512
2330d09c1f5655bfa51cb7ef11d3c14ff90d024baa457ca6296c4cea9d734e2e6b48d2a397284f223107cec54ead176dcb1baf6aac639f2b9966cde6d534d5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylcyu.exe

Filesize
636KB

MD5
34cd8734e7ec00110fd3c782aade1b37

SHA1
692c83a4dd815e0a16731fd784e240ddb4deed12

SHA256
7b3d8166fc10c958cee7f4c77098e3e77c0e37d7f368dded42bf822388169db6

SHA512
0292f05952f6d0b749b83f07f282a06bfd7f13be7044be3c0282e6347108fb5bb2c84576d51cd0f861f12ac170ef64d4f00f281984970a672e6557f3eb6c448b

Download Submit
memory/1208-29-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/1208-33-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/1208-32-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/1208-28-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/1208-26-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/1208-30-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/2900-17-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2900-27-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2900-12-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4028-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4028-14-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing