urelas | eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299

General

Target

eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
Size

427KB
MD5

6ba741900c355365d53ea7225b8fb590
SHA1

95681d7c716471d60b9a218794b6d0a8d500bcc5
SHA256

eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299
SHA512

a77756fa5e27373758146b15f4a7d62a8cdda0224b622f0a8036703f93151781782af773dd5c545e35a8e742482e64061a3fc0942a5a09432db288378fc3363b
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsx:YU7M5ijWh0XOW4sEfeOg

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	totyh.exe
1324	obxox.exe

Loads dropped DLL 3 IoCs

pid	Process
2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
2460	totyh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	totyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obxox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe
1324	obxox.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2460	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	30
PID 2336 wrote to memory of 2460	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	30
PID 2336 wrote to memory of 2460	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	30
PID 2336 wrote to memory of 2460	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	30
PID 2336 wrote to memory of 2024	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	31
PID 2336 wrote to memory of 2024	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	31
PID 2336 wrote to memory of 2024	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	31
PID 2336 wrote to memory of 2024	2336	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	31
PID 2460 wrote to memory of 1324	2460	totyh.exe	34
PID 2460 wrote to memory of 1324	2460	totyh.exe	34
PID 2460 wrote to memory of 1324	2460	totyh.exe	34
PID 2460 wrote to memory of 1324	2460	totyh.exe	34

C:\Users\Admin\AppData\Local\Temp\eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
"C:\Users\Admin\AppData\Local\Temp\eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\totyh.exe
  "C:\Users\Admin\AppData\Local\Temp\totyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\obxox.exe
    "C:\Users\Admin\AppData\Local\Temp\obxox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
47b1191d7d21f11c58c7d77512bb7b05

SHA1
cf26aa9dcebe7d9c3a89092205fb774aaef4ce32

SHA256
d94bc226df83f7889bc1ac3d72ec1d3508c5f682047a1850eb7f730eb127db92

SHA512
1d0c1f415ba14ab68f7cbb2fe09c2edd3a29753025e2f828b7b9d3a630c2ec503306a5755db033a3757cad198414f3fd88100745e51ea158ae10126083a1e5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2f4c5f528c8740f52a2f39f0a9ee8073

SHA1
366e13f1e9e88ea8731da14731053d11f6998c8f

SHA256
55d73ccd85f9e65b49a3e65d80b58311db116f37b8f656b40262f5d8c545d1ce

SHA512
4c387bd207b770745ab19ae71a5d23defb91e4e14af039273e4806372005351c24f22c67a2094b0b9b08d7de600e55daa6f1d6a7bfe20239d203a5f0a5171fcc

Download Submit
\Users\Admin\AppData\Local\Temp\obxox.exe

Filesize
212KB

MD5
d652b3a707740c77725e5ae6b90ca0db

SHA1
6236b095a5a9f3b7cd9c6e252613292e4526caf1

SHA256
fd12d317cb3f237a0f99197f1696bd6af803f17ec93b12e90d922f7cc7ea6024

SHA512
80e63622420bbb2ba0ecd1281882f0dac6e6936d9cb88cd1dfb5706c4f52bb1d26780088671899a181c0935dfe3faed1c469c5aa6525d576a7f417d69c8b4fa9

Download Submit
\Users\Admin\AppData\Local\Temp\totyh.exe

Filesize
427KB

MD5
93f09a016a410ebe859d61b1ba0d0c42

SHA1
2e0f740b10d386edb5d22b34814fd54dee9bd0bc

SHA256
29474ddb1ea83f57d9ab96fc0fc0a6a9c48c8f9220d2b9ad76f9eb65f9a76e96

SHA512
6d98a1920f61de148c014360e182129ff25f37a442982a97dc09c5715f368cc98b6c50002ebd13d1340f287da46f0455343ff5ae130ef70929ee9bbd29c27b95

Download Submit
memory/1324-32-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/1324-33-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/1324-35-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/1324-34-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/1324-37-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/1324-38-0x00000000011E0000-0x0000000001274000-memory.dmp

Filesize
592KB

Download
memory/2336-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2336-11-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/2336-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-28-0x0000000002F00000-0x0000000002F94000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing