urelas | eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5

General

Target

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Size

329KB
MD5

6812c0ef40c70d2409b123e19350c1e1
SHA1

55480d53effecf77d8c71c9df16586d7542e2baf
SHA256

eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5
SHA512

cd08ab3121278108e17ee22df078f7c9b035932bfa55693f1db1675dba7754057d531499ffdd9cb11923de914185fd1ef85671d45bd75ac29cc74cd8da821d7c
SSDEEP

6144:zPVgqTQ9zAjPGhwLycSURGPp0RCeiYwpPaXRaBAz7jNsNRpxo3UBQE743vopF5:zPhTIzAjPHkUkPLeSPaXRL7xsNRXEFEH

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023c7d-10.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	rezuc.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	rezuc.exe
2912	viwum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rezuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viwum.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe
2912	viwum.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2768	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	85
PID 4280 wrote to memory of 2768	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	85
PID 4280 wrote to memory of 2768	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	85
PID 4280 wrote to memory of 4996	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	86
PID 4280 wrote to memory of 4996	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	86
PID 4280 wrote to memory of 4996	4280	eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe	86
PID 2768 wrote to memory of 2912	2768	rezuc.exe	104
PID 2768 wrote to memory of 2912	2768	rezuc.exe	104
PID 2768 wrote to memory of 2912	2768	rezuc.exe	104

C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe
"C:\Users\Admin\AppData\Local\Temp\eb82d0b21a43bbdfbc53b027d77fb4d4e5de25cd5c1648f9b409cbd1b34c2cc5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\rezuc.exe
  "C:\Users\Admin\AppData\Local\Temp\rezuc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\viwum.exe
    "C:\Users\Admin\AppData\Local\Temp\viwum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
76b2064fc7afd7b80fd7e869b06932d4

SHA1
26edb10067b620f24f9f0481d52ccbf47181635d

SHA256
a94f410d97ad4d13464d48b1bf49a294827d41042da44ceb73521f6c6dd0ff6a

SHA512
504d1c7cd7ea651ab58e137a597089f8bdeafbff0ced966290f652921391c9b5a5c7c4182fa635918ab2c2999cb8a6c7b70e9eaee335f665c888c69e5f2329e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ac957848d459d43c91d9740c3e48c14

SHA1
dccb5c3a0a106cedc47fbec14e5b44d695b6f1c1

SHA256
e75454f579346455d9a66aa399d4812548ae6f7bc971dd87458de41d7d921f02

SHA512
ac03f42dadeaa7fd3f719719d09c981eace99a0d31e6fc1a44d747691d5cd04d8e212eed6bc7fd4cbe9f398583d8562218f87ac22c164b470a3ff1bad41bd404

Download Submit
C:\Users\Admin\AppData\Local\Temp\rezuc.exe

Filesize
329KB

MD5
aca9cd1a68a0d83da9c2f137806a8417

SHA1
7719e8e9efd8739a74afd5d503b24ed8d84a46f4

SHA256
2fc697a77f921de50723096bdaa37ae47fd71745de2a79d5cad67e85c1d6b2eb

SHA512
6cc067a135b8cee0aa7a1dd35c1e015b28a9f535c98a235a34880cf5888672fcdccc6d9d4e897f8bd63a298ffea6c88f9ae9087f7e1fa1406a03438389eb2dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\viwum.exe

Filesize
197KB

MD5
78cdbe9453a1abe90cea9f7ecfecc33d

SHA1
e38efded4e31085d23b671044d32e99af16a12cf

SHA256
3ffbbd37b700814f7586214e40d92a094719e1c7f8e31784b41a293324284f63

SHA512
b20c123ec86317828d3f30033ed9d9318bc4831a9536afb214ae116227996d27a72c2425cbcff8f7267e0fb8ab91df5dba89afead114e596f962314e53495eaf

Download Submit
memory/2768-19-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-45-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-17-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-16-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-18-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-20-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2768-26-0x0000000000320000-0x000000000039D000-memory.dmp

Filesize
500KB

Download
memory/2912-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2912-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2912-48-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2912-49-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4280-2-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download
memory/4280-23-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download
memory/4280-3-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download
memory/4280-1-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download
memory/4280-4-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download
memory/4280-0-0x0000000000440000-0x00000000004BD000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing