urelas | 384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5

General

Target

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Size

427KB
MD5

2c5283c0e5519979932fb112a11d86e3
SHA1

c512c7ca7666c6c7a20a82fa7b5b3c140587814e
SHA256

384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5
SHA512

0af2f0f0ccaa9029d99c6dbac951d928b68bb0c48d643d6d09d90a9e286aa4ea468c789b57d3f2bb0a9e450f0a1ef9f0bb69597a65c1f6156233b0962c2becf0
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsp:YU7M5ijWh0XOW4sEfeOA

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	lusit.exe
548	jufoa.exe

Loads dropped DLL 3 IoCs

pid	Process
2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
2900	lusit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lusit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jufoa.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe
548	jufoa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2900	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2072 wrote to memory of 2900	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2072 wrote to memory of 2900	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2072 wrote to memory of 2900	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	31
PID 2072 wrote to memory of 2700	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	32
PID 2072 wrote to memory of 2700	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	32
PID 2072 wrote to memory of 2700	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	32
PID 2072 wrote to memory of 2700	2072	384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe	32
PID 2900 wrote to memory of 548	2900	lusit.exe	35
PID 2900 wrote to memory of 548	2900	lusit.exe	35
PID 2900 wrote to memory of 548	2900	lusit.exe	35
PID 2900 wrote to memory of 548	2900	lusit.exe	35

C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe
"C:\Users\Admin\AppData\Local\Temp\384742a3c544e744778a18ca61173c8ba88fc8215523f535861bf0194188caa5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\lusit.exe
  "C:\Users\Admin\AppData\Local\Temp\lusit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\jufoa.exe
    "C:\Users\Admin\AppData\Local\Temp\jufoa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
eb31203f5f96923d92feaff32488c418

SHA1
9705f8f7486538cf9e3189cf2f247613ca1ac64a

SHA256
97a329565d2ba8c8f6bf8fcdcb8f8022d8f2d9677c3c2592b46df9ca6743e4cc

SHA512
7bdaa10c1b77004b1e4b3d3842b62c95ea362cd5434d5c522cba872ae7e90a97d8713bb4ecd78cdc3f3fa0e5d909c02a4aaa1225d47cbaa4eacf2fdd4f75c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b8f399a87b208776124ffaa71df6016d

SHA1
466d69b964b51777d4635e0ac5e5fde5aed65709

SHA256
bac6fd33da98668164f5dc4983134fbbfc8da9db9cf7d4b9c5f6141dbf91f2f1

SHA512
5434f898cd9f252f25fc1a57aee7f766d2b63b97eda80088c339d1f0c81bfdd66ece3bec3abce9ee3fe1ac2efdc3fc5e337b35dad445018857e535c94832393b

Download Submit
\Users\Admin\AppData\Local\Temp\jufoa.exe

Filesize
212KB

MD5
1b13b4efe6453a3ecb2d5094da6a4c1d

SHA1
06eb750ee608d72b168d5ed8ec02321beffbe180

SHA256
9d2134c1519bc00fef1673bcb671ce3b7de549d7ee667f1e5eeac346ed4f8582

SHA512
0e899f00eb0d4a13319d843bfe412881818390dd51c4cb1443106057b204dd4abf77e4514518772ecdd20ca9250d9514c3de9b2011b2dd52bed87f544d0627b0

Download Submit
\Users\Admin\AppData\Local\Temp\lusit.exe

Filesize
427KB

MD5
3cb7d6f95ea0a59704dd9fcef1f71292

SHA1
4abc0695f8f0a748f41897889944e080e46de7e1

SHA256
d212a51b823a337a7df54abe0454f9a6ab13a94899c4a28bc7ab5b547c0d179e

SHA512
7db0144562ba60e0edcdacaa5d116003f0284fd79f880c6ba2c470bccb0487ce00b7282348977cde33da11414f8ddd9d79e8771ce48a7b1431dcbd46f3ede8cf

Download Submit
memory/548-40-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/548-37-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/548-41-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/548-34-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/548-36-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/548-35-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/2072-11-0x0000000002530000-0x0000000002597000-memory.dmp

Filesize
412KB

Download
memory/2072-22-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2072-12-0x0000000002530000-0x0000000002597000-memory.dmp

Filesize
412KB

Download
memory/2072-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2900-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2900-32-0x00000000035F0000-0x0000000003684000-memory.dmp

Filesize
592KB

Download
memory/2900-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2900-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing