urelas | c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365

General

Target

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
Size

419KB
MD5

ad3c035ef68a24ff4176375bcdbdfef0
SHA1

dfcf400b12143c8d1626517034261dd625c5cd53
SHA256

c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365
SHA512

d27ec8fc9abc4cc1f5a10e724ce1f74bbb09c5ca0c2d4b72aa0ff2e630a3f1b91db675d904bdb5e3d2118e513ee3657f588b3245da7f741020259862832d907b
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODsvFwy:hU7M5ijWh0XOW4sEfeOkr

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016210-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	beven.exe
1380	suibb.exe

Loads dropped DLL 3 IoCs

pid	Process
2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
2544	beven.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beven.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suibb.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe
1380	suibb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2544	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	31
PID 2112 wrote to memory of 2544	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	31
PID 2112 wrote to memory of 2544	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	31
PID 2112 wrote to memory of 2544	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	31
PID 2112 wrote to memory of 2712	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	32
PID 2112 wrote to memory of 2712	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	32
PID 2112 wrote to memory of 2712	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	32
PID 2112 wrote to memory of 2712	2112	c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe	32
PID 2544 wrote to memory of 1380	2544	beven.exe	34
PID 2544 wrote to memory of 1380	2544	beven.exe	34
PID 2544 wrote to memory of 1380	2544	beven.exe	34
PID 2544 wrote to memory of 1380	2544	beven.exe	34

C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe
"C:\Users\Admin\AppData\Local\Temp\c1eaa0ed3fdfb574288675a4ea0c53a4c8cdef8085efd15d02ac2ba483b2a365N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\beven.exe
  "C:\Users\Admin\AppData\Local\Temp\beven.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\suibb.exe
    "C:\Users\Admin\AppData\Local\Temp\suibb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
50ea792bba913a3073ea21487ce12fd4

SHA1
372b7c296584ddd49cff19f01b30899007bbb8a7

SHA256
c2e3684afedf466ee04c9013d86b89fb9d17a994ae1a1372866eeff0d54480b3

SHA512
21b21d857975c87f7e212a220f8ba3ee80edc985f7be6d7ac8893f1f0e6416a788cc44f55f3065a19958e1fe114148b1858e476b0f34978d24f50a47de6b967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a6c1cb607b536f1724415a3688ef1591

SHA1
dd064d95c3dafaebf55cd279379ca92a95b34c45

SHA256
9e7c0d93b83e9d4360b38c29a79624b14b136d756237ef958406ec3818dab1c7

SHA512
009f42424b02c7e00f04cbffc6ba22e4ec1dc2fbd1d5c7e54716f103006e4a6fb5155e534740be04b96b0b3044c0f2a07e4901da6b210923e4b057b18b079105

Download Submit
\Users\Admin\AppData\Local\Temp\beven.exe

Filesize
419KB

MD5
231c62b3eabc270d381d4ce968064719

SHA1
42c30a196afa543de034873001b4ca23c011cdfe

SHA256
86e795db5dfa36fc7518231b39e9dd03bf44206f2cc17996e0d3cfc8ce046f10

SHA512
9cbccff0fa0b928e2affc5552b542e444d23ad7c227f64dbe55e962249144dde66d0ee32f11d25d2587544080e426fd0fdc108a147a21b09fd1daea34ab0562a

Download Submit
\Users\Admin\AppData\Local\Temp\suibb.exe

Filesize
212KB

MD5
01a6b66f9d9c071dfd3bab930025b69d

SHA1
d28a2a67b3583c3bef0e1cee26cefcdede4bffe5

SHA256
c91bb879d57512a9f38fea6bde1de05f1aa87d74c6b1bc422b5314dd6362ff14

SHA512
8fe2827584322d5612ccb09c42777d683b1e6a873adff4cd6a11066983e5df2468dc0b34919669fb9a5390218b70da6894dc3dd10a32762333f38f59adb17e36

Download Submit
memory/1380-34-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/1380-32-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/1380-35-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/1380-33-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/1380-37-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/1380-38-0x0000000000C40000-0x0000000000CD4000-memory.dmp

Filesize
592KB

Download
memory/2112-11-0x00000000025E0000-0x0000000002645000-memory.dmp

Filesize
404KB

Download
memory/2112-12-0x00000000025E0000-0x0000000002645000-memory.dmp

Filesize
404KB

Download
memory/2112-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2112-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2544-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2544-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing