urelas | eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299

General

Target

eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
Size

427KB
MD5

6ba741900c355365d53ea7225b8fb590
SHA1

95681d7c716471d60b9a218794b6d0a8d500bcc5
SHA256

eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299
SHA512

a77756fa5e27373758146b15f4a7d62a8cdda0224b622f0a8036703f93151781782af773dd5c545e35a8e742482e64061a3fc0942a5a09432db288378fc3363b
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsx:YU7M5ijWh0XOW4sEfeOg

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	yvvoe.exe

Executes dropped EXE 2 IoCs

pid	Process
1544	yvvoe.exe
3220	pugus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pugus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvvoe.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe
3220	pugus.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1544	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	82
PID 2892 wrote to memory of 1544	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	82
PID 2892 wrote to memory of 1544	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	82
PID 2892 wrote to memory of 3344	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	83
PID 2892 wrote to memory of 3344	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	83
PID 2892 wrote to memory of 3344	2892	eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe	83
PID 1544 wrote to memory of 3220	1544	yvvoe.exe	94
PID 1544 wrote to memory of 3220	1544	yvvoe.exe	94
PID 1544 wrote to memory of 3220	1544	yvvoe.exe	94

C:\Users\Admin\AppData\Local\Temp\eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe
"C:\Users\Admin\AppData\Local\Temp\eff2c23ab5c459c186b9691469517842122adf02c92c52103679e125e0085299N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\yvvoe.exe
  "C:\Users\Admin\AppData\Local\Temp\yvvoe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\pugus.exe
    "C:\Users\Admin\AppData\Local\Temp\pugus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
47b1191d7d21f11c58c7d77512bb7b05

SHA1
cf26aa9dcebe7d9c3a89092205fb774aaef4ce32

SHA256
d94bc226df83f7889bc1ac3d72ec1d3508c5f682047a1850eb7f730eb127db92

SHA512
1d0c1f415ba14ab68f7cbb2fe09c2edd3a29753025e2f828b7b9d3a630c2ec503306a5755db033a3757cad198414f3fd88100745e51ea158ae10126083a1e5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2fda21c9d940ccf01034366b10728f99

SHA1
659efebf0284cd09ecdac6e1f8f05064ff7f9369

SHA256
6715d99c446915aeeb61ebb73cc377a0ba4a1beabd086c0f31cb67d7d9d20f33

SHA512
1dad40a7c0e666eabe4b9096422f16062bf5ed138879d1d78e472fcd3ac62e0cb7758c74ad2f9a4a8c4fac7d229cbc7019364c33c17dd59a995da731bd1833e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pugus.exe

Filesize
212KB

MD5
ba9da52bfe0767eca79b1ac7d3c019ab

SHA1
17847efa68a99b6ebbaba6b29351d2e11f9ac7a6

SHA256
e2c32cd054c2c75b49e6f7d9d37ca7c49dda65ab0a0f55468516a4d658d3789b

SHA512
801bec4fb49974b9fecd029b848b3396818f82864cb4c76ee17da99d48a985e4c1e5aacf62a8755bd243012672f81b5e2135a7f50fbd2f96d851c7ebd5f9e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvvoe.exe

Filesize
427KB

MD5
5e2a30a6e1ab391c091beb6082b74b65

SHA1
bf9d078cffc2f04077ad9ef34f0e5c49602b4607

SHA256
b1dc0042763b97d69307c5b17cd887c62087042535d82399d946a14f18be3452

SHA512
c31676cd4905596325c7f9c51507b2960aa0c47e50fab235ae335d864647d7cfb9034f6ecd49c023d8929a1852e4ddcc3ead2d41bb2cd583062ad09c49cee493

Download Submit
memory/1544-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1544-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2892-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2892-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3220-25-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download
memory/3220-28-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download
memory/3220-27-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download
memory/3220-26-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download
memory/3220-31-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download
memory/3220-32-0x0000000000B90000-0x0000000000C24000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing