urelas | 1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30

General

Target

1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
Size

329KB
MD5

d62edbb903c07c03db6f4f4e223100e0
SHA1

0b8d2a884b1be06bac1f0acba5ba440b5170fbe9
SHA256

1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30
SHA512

54548e2632999b9fcefaa9468f28b02def72f1cd772308444abe31287d8ea935e1776f58f137dca730523cab3c929633038cec2854ce5ab77ae1ebcb2c26773e
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopFR:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEv

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000015b6e-8.dat	aspack_v212_v242
behavioral1/files/0x000a000000015b6e-50.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	niqyt.exe
1844	cohob.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
3040	niqyt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niqyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cohob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe
1844	cohob.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3040	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	30
PID 2404 wrote to memory of 3040	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	30
PID 2404 wrote to memory of 3040	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	30
PID 2404 wrote to memory of 3040	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	30
PID 2404 wrote to memory of 2544	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	31
PID 2404 wrote to memory of 2544	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	31
PID 2404 wrote to memory of 2544	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	31
PID 2404 wrote to memory of 2544	2404	1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe	31
PID 3040 wrote to memory of 1844	3040	niqyt.exe	34
PID 3040 wrote to memory of 1844	3040	niqyt.exe	34
PID 3040 wrote to memory of 1844	3040	niqyt.exe	34
PID 3040 wrote to memory of 1844	3040	niqyt.exe	34

C:\Users\Admin\AppData\Local\Temp\1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe
"C:\Users\Admin\AppData\Local\Temp\1e747d4f439659ade5ce74171024f4764e58c4ca9ab9b69c375056d9696e1f30N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\niqyt.exe
  "C:\Users\Admin\AppData\Local\Temp\niqyt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\cohob.exe
    "C:\Users\Admin\AppData\Local\Temp\cohob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d7e36f5666c9241f982155c4a357314d

SHA1
7044fa30e82aff74ffb283bf20a9ed9918a31cb8

SHA256
373b4bf09edde46908f86ba18b0ce43a0bae0e79ae0e41a01e9c060e779afda7

SHA512
26ac63e0a367e48bb2a7ed1b9803cd7cae4fcd470c7e37b2a3d737613b952410916d1b46ae86d8dcbdc845a9bbb08ee75c7ba356f8428f492b5421bc198e42e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
376c921590d7d2d2fd317ae3cec5fea0

SHA1
da2e8e204414ec558b6e3a7480b5461fc3cbfeb8

SHA256
72c0d03a527f10fe81afdf605d8b8defdae459fd7d152207fa0362524fe32c65

SHA512
6e8a52fa9e961bf6a4e2d132d426131b422ed6f868cde39a658ceeed6ec5ffd0b460b97590eccb5621f571326be094685df667b1f1d74686a7bf964a7e0ade63

Download Submit
C:\Users\Admin\AppData\Local\Temp\niqyt.exe

Filesize
329KB

MD5
a29a5e993bf1139a70179222a3ec3a90

SHA1
81509318ac1e2d2482cd8097c8e9a9a72c188b30

SHA256
ffb853616dd12a1eedbca3a0985de33eec0027e5810c76672ab43aed6a03f89c

SHA512
a957a9ef65313ed8c7c3260a40bd274f81ab9a2af109edff4006612e1cab644091ef8f26099983cac2087b4f9635b1f4d30ce60f744322c2a4dc71477090aab3

Download Submit
\Users\Admin\AppData\Local\Temp\cohob.exe

Filesize
197KB

MD5
b73aa35512598ffc081b40a2f4e1dfdf

SHA1
1ca6d22c161e19bb7a4a3aafb32b7d8681da5780

SHA256
c587b927bfd5a93320a9255dba6308ebf088a664810ea6c7819781e2982df2c5

SHA512
5ef0356aa76424c836efc65a1e50711a1a165aafa0db7e8534e5c4115b22c1a28a5e747d874fa85ad34d2020b783fffd22f0620677efec026747f4daba27b3d2

Download Submit
\Users\Admin\AppData\Local\Temp\niqyt.exe

Filesize
329KB

MD5
46ad2820b9c82cc7cad4bae493019f2b

SHA1
40090a70e7f9afb05b73b97f8182b63b74f52c09

SHA256
01ea2a543128b9d6ab53d024ff260ade8393dddcdcf26579432c412f9a8e71d9

SHA512
5ada3bce7b2a8349e186a6304129ba804804a3f455e8bfa14a41e465c57801d011b5357132348f17b4c66a90170ef61aac99d73a9f8c1a6b929cfd9e8a232efc

Download Submit
memory/1844-52-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1844-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1844-53-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1844-51-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2404-1-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/2404-23-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/2404-19-0x0000000002690000-0x000000000270D000-memory.dmp

Filesize
500KB

Download
memory/2404-0-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/2404-2-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/2404-3-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/2404-4-0x0000000000C20000-0x0000000000C9D000-memory.dmp

Filesize
500KB

Download
memory/3040-25-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-30-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-47-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-45-0x0000000003E10000-0x0000000003ED3000-memory.dmp

Filesize
780KB

Download
memory/3040-24-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-26-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-27-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download
memory/3040-20-0x0000000001240000-0x00000000012BD000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing