urelas | 943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702

General

Target

943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Size

337KB
MD5

a180800232f58a1f6096d76c594bf860
SHA1

4f5ff11730ec328878bc3e6f23e4f060dc20b2a0
SHA256

943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702
SHA512

9592f1979aa1f1363203de4e125421c1697748aa033d5792f320b9ce02a1215f9e18539ad5ccac5df3f12d7301986370d45c38b1ec7504ddc0dbd1611724c852
SSDEEP

6144:4x4ITLKT/MUbCYqLbbCM2dWwh3gNUie2Jy+5vmSZGpd:4x4+LmMUbXq/byKLe2JPFS

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015d0e-12.dat	aspack_v212_v242
behavioral1/files/0x0009000000015d41-40.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1620	ebzuy.exe
2600	wyfuv.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
1620	ebzuy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyfuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebzuy.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe
2600	wyfuv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1620	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	30
PID 1704 wrote to memory of 1620	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	30
PID 1704 wrote to memory of 1620	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	30
PID 1704 wrote to memory of 1620	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	30
PID 1704 wrote to memory of 2360	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	31
PID 1704 wrote to memory of 2360	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	31
PID 1704 wrote to memory of 2360	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	31
PID 1704 wrote to memory of 2360	1704	943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe	31
PID 1620 wrote to memory of 2600	1620	ebzuy.exe	34
PID 1620 wrote to memory of 2600	1620	ebzuy.exe	34
PID 1620 wrote to memory of 2600	1620	ebzuy.exe	34
PID 1620 wrote to memory of 2600	1620	ebzuy.exe	34

C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe
"C:\Users\Admin\AppData\Local\Temp\943e68e3fcc7e625c52c1967e898594cffda216d2db95345a057a3f3e3c51702N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\ebzuy.exe
  "C:\Users\Admin\AppData\Local\Temp\ebzuy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\wyfuv.exe
    "C:\Users\Admin\AppData\Local\Temp\wyfuv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e91efa32c84a1881b1d18e4f5ad1ad2f

SHA1
5dcb841f644605b0266eb3a46590826751165615

SHA256
c186755c7beb23e3f69536ec56b6158f429cffb00a917b8b7e7573a5f4d55ed3

SHA512
6e43bdee1cd15e66f1aeec474188de3402b5c75af2191fc45d16662ad75c697d1984af8b6aebf590fd2ccc0d9d0f36eb2745e2854b886472e3883ea03f876749

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebzuy.exe

Filesize
337KB

MD5
50c917ed0aeca78dd0d131165258b863

SHA1
aa6db4f0ca07d0792290309b003d42cf9094e12b

SHA256
9ec3e319b904ea615cfb927c6c9e2be6ea5fadbbfb95923f4f5b3ea3d2ee83df

SHA512
a946017b4b73647ab131d417ebbd91bc62d34fcbcd2987dec2d78219a4b91918ef1225ca525e26908978e18cde836a1251daa79c6ac3652b5bd0906d6bc60242

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cca0f9e42ab0d43594932d2abb4972a5

SHA1
03485008474adc2774822bc2265719e95e98de45

SHA256
e5e959c221bf509ffe2c8cba61c5a84b84d1f7ae19a7847aabab8eb92f146ed5

SHA512
4002ebb6ac2c6c7798b5dabe2331e75e31c2dd11aa86db2fb0b1fc6b597f35a5730e8b8dfc5bee004da56a6e9dfe65deef0ce0c814bba0ecf58e96f9af9fc86b

Download Submit
\Users\Admin\AppData\Local\Temp\wyfuv.exe

Filesize
225KB

MD5
7430d38590273ca061b582058ed8bc20

SHA1
3d406937b620f6b40453370b62f51b9e4afc2c5d

SHA256
09792f4c43466d5a16c51eabb1a0ead03a2fba14464630b321dd3939113e60e2

SHA512
2b23253293d9ae66c5249e75378a8404ee0b8b873e89b1ed059c13c6768022e667112851a4bf8f5dd47e405b4ff11815b1a4a93d6ef7aa8eaefce647357ce81d

Download Submit
memory/1620-43-0x00000000036F0000-0x000000000378E000-memory.dmp

Filesize
632KB

Download
memory/1620-46-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-21-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-29-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-23-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-26-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-25-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1620-24-0x00000000011D0000-0x0000000001250000-memory.dmp

Filesize
512KB

Download
memory/1704-4-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/1704-20-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/1704-3-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/1704-0-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/1704-22-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/1704-1-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/1704-2-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2600-50-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download
memory/2600-49-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download
memory/2600-48-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download
memory/2600-47-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download
memory/2600-52-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download
memory/2600-53-0x0000000001120000-0x00000000011BE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing