urelas | eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5

General

Target

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Size

329KB
MD5

6812c0ef40c70d2409b123e19350c1e1
SHA1

55480d53effecf77d8c71c9df16586d7542e2baf
SHA256

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5
SHA512

cd08ab3121278108e17ee22df078f7c9b035932bfa55693f1db1675dba7754057d531499ffdd9cb11923de914185fd1ef85671d45bd75ac29cc74cd8da821d7c
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopF5:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEH

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016d36-8.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	amijv.exe
2016	yvfuj.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
2092	amijv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvfuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amijv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe
2016	yvfuj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2092	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	30
PID 3004 wrote to memory of 2092	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	30
PID 3004 wrote to memory of 2092	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	30
PID 3004 wrote to memory of 2092	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	30
PID 3004 wrote to memory of 2452	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 3004 wrote to memory of 2452	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 3004 wrote to memory of 2452	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 3004 wrote to memory of 2452	3004	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	31
PID 2092 wrote to memory of 2016	2092	amijv.exe	34
PID 2092 wrote to memory of 2016	2092	amijv.exe	34
PID 2092 wrote to memory of 2016	2092	amijv.exe	34
PID 2092 wrote to memory of 2016	2092	amijv.exe	34

C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
"C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\amijv.exe
  "C:\Users\Admin\AppData\Local\Temp\amijv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\yvfuj.exe
    "C:\Users\Admin\AppData\Local\Temp\yvfuj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b2064fc7afd7b80fd7e869b06932d4

SHA1
26edb10067b620f24f9f0481d52ccbf47181635d

SHA256
a94f410d97ad4d13464d48b1bf49a294827d41042da44ceb73521f6c6dd0ff6a

SHA512
504d1c7cd7ea651ab58e137a597089f8bdeafbff0ced966290f652921391c9b5a5c7c4182fa635918ab2c2999cb8a6c7b70e9eaee335f665c888c69e5f2329e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6604c53ec61e1d2bc0f4a147fd04a692

SHA1
702d4712e6c960eeb47228486e88a11ae3b7130a

SHA256
3dfad7ada1e695884e940c00d4e2f1282096b8ef6188f073e2d5e779de920029

SHA512
74eb341ffa48443d3b50d376d31a263efdccecfe2679c8d69ddde78207dcec31946608bccf668ce2bb2b991f481d7a59a7d8134ae82c67e2a80302cfb06be833

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvfuj.exe

Filesize
197KB

MD5
ebd0d0aab3de2d2d56cb50c8bd5c22cf

SHA1
9fbac0f9a91547373ca661c6a9aaeafd9d135f39

SHA256
b793d1183aec4b1e9e0ab45721bf0c846991d99507ba91a1ae32c1d85d36afda

SHA512
6d9cebde299c00ca00f985465d0fda264370b558b9518bb86cac38c457e898c2c34d635a313ea3c60046ae584cf3c60da3763c422fbd0bda096c1dcfadc51a73

Download Submit
\Users\Admin\AppData\Local\Temp\amijv.exe

Filesize
329KB

MD5
a0f9e1fc183b1a2dd50ccf5790845e4b

SHA1
119f2d80521a1a09238cad881a673fbce3889f63

SHA256
b990d57b252155e6c1a3acd721548612a89db21c61632a209ec3ed816f599be8

SHA512
95adc45813f883afcc7f5b48ae264ac6fab2d2e7dd17573708ba5fd332912056d244906e0ded38d162a1bcc3b69c57a0953e445e37c3e328cf2f48f446224e2d

Download Submit
memory/2016-45-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2016-49-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2016-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2016-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2092-28-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/2092-18-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/2092-16-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/2092-15-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/2092-14-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/2092-44-0x0000000000E80000-0x0000000000EFD000-memory.dmp

Filesize
500KB

Download
memory/3004-3-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download
memory/3004-0-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download
memory/3004-1-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download
memory/3004-4-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download
memory/3004-10-0x0000000001FE0000-0x000000000205D000-memory.dmp

Filesize
500KB

Download
memory/3004-25-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download
memory/3004-2-0x0000000000240000-0x00000000002BD000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing