urelas | f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839

General

Target

f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
Size

274KB
MD5

f7c9a018f5d66e1d592cd9181491e320
SHA1

78e1282d9944d4571a5b10514b34439283fab774
SHA256

f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839
SHA512

9a0dc299c081d1a2ba20ca2f2ac50d17d969c1e30d81d5770f4206465ae2dd146e4a13d46752784d25a7d5d9849a328b4fc2f24d8495ca0361fb8dc0062dc4bc
SSDEEP

6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkT:9A3NtUISdPw+Elq2Jsm2T

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-37.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	puvyo.exe
1332	vizyf.exe

Loads dropped DLL 3 IoCs

pid	Process
2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
2700	puvyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puvyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vizyf.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe
1332	vizyf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2700	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	30
PID 2220 wrote to memory of 2700	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	30
PID 2220 wrote to memory of 2700	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	30
PID 2220 wrote to memory of 2700	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	30
PID 2220 wrote to memory of 2784	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	31
PID 2220 wrote to memory of 2784	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	31
PID 2220 wrote to memory of 2784	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	31
PID 2220 wrote to memory of 2784	2220	f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe	31
PID 2700 wrote to memory of 1332	2700	puvyo.exe	34
PID 2700 wrote to memory of 1332	2700	puvyo.exe	34
PID 2700 wrote to memory of 1332	2700	puvyo.exe	34
PID 2700 wrote to memory of 1332	2700	puvyo.exe	34

C:\Users\Admin\AppData\Local\Temp\f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe
"C:\Users\Admin\AppData\Local\Temp\f62afee580a799901cf0a2224ebb969c3898fb383072e9743a9e5cd8bfc2a839N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\puvyo.exe
  "C:\Users\Admin\AppData\Local\Temp\puvyo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\vizyf.exe
    "C:\Users\Admin\AppData\Local\Temp\vizyf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
19aad9e281519c7639e609614a7fc59c

SHA1
2051ad675e5404794c25eb65d989c4372709972e

SHA256
66fbc901984b456f25aaf9a511d143789843a7d50a8aaec458f4166f4dc4d00d

SHA512
0801f4745c7bfa2cd48189de96766cd945074b5b31dd0b66babbfb4e69bcd78524e3fb94372a5904dd47e703a3fae6f1102784a29ca66bf917a9390a75bfb47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
682dda94e3cf746ab72494a4883e91af

SHA1
b74b9081b62fb6a24e53955a9556ef65cf19c91e

SHA256
dba28ec762fc91f799162f7a8768a092ab91fe35d920ca155369d0ecaafe2ac5

SHA512
c5e779052acaaa114c7e2bbdb9334c51fc270da4a2701c7abbe96cf6bd33297d2c95b4c0cca950aba6927e95d647cc34ef939a128bd42ef61803f9057f22361c

Download Submit
\Users\Admin\AppData\Local\Temp\puvyo.exe

Filesize
274KB

MD5
c6f7a28c5756c2a7fef6f51765757bc5

SHA1
b6d2df31dd2b01c6746f6012f2e6388b794123fb

SHA256
677e01ffaea9fab4de091b1ae00057444dd86338986c86391e6c44d44b4d5128

SHA512
069e340b9d03559726a1f847e985c9f4f31f7979059ae02d6f18f24978ec95673ae9c8f92370d10925da2733a4878889e7b7b138ef161aa2cf666e56f8669130

Download Submit
\Users\Admin\AppData\Local\Temp\vizyf.exe

Filesize
216KB

MD5
197b3a632fbc5070f92d52e2876e64ad

SHA1
e24093fbbcfadd7dc8607e1ab69c1f5ae6979ff2

SHA256
9b8e8bcc467fd4f243ea9b6f8aeb762bcbab96409d79970d83e30f7435b9d9ef

SHA512
1a953ae0f2acc04aaa91690977c8cf77c5f91d2868b5631fae525acdafb0f29b8e58992fb9bf9c9a4f93333b6b7f0eef584b91d4cafd7cfd121d5404dcbd0343

Download Submit
memory/1332-44-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/1332-46-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/1332-50-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/1332-45-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/1332-47-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/1332-49-0x00000000013E0000-0x0000000001482000-memory.dmp

Filesize
648KB

Download
memory/2220-12-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download
memory/2220-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2220-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2220-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2700-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2700-41-0x00000000030C0000-0x0000000003162000-memory.dmp

Filesize
648KB

Download
memory/2700-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2700-26-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing