urelas | 4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0

General

Target

4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
Size

427KB
MD5

881101dfbab2828e70ee78e5c4bcb590
SHA1

74df88468a643d17fbf5d1fffabaab1d5e310dfb
SHA256

4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0
SHA512

979be186a0b3354fee5d06652fd15053f25974610aa4aee02f0cbe63293231bff8eda6c14b524cc7334b8cd5855f920c965c846d7888937d61126cd7fa65a78c
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsZ:YU7M5ijWh0XOW4sEfeO+

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	zevul.exe
3064	esenk.exe

Loads dropped DLL 3 IoCs

pid	Process
1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
2608	zevul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zevul.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe
3064	esenk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2608	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	31
PID 1488 wrote to memory of 2608	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	31
PID 1488 wrote to memory of 2608	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	31
PID 1488 wrote to memory of 2608	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	31
PID 1488 wrote to memory of 2828	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	32
PID 1488 wrote to memory of 2828	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	32
PID 1488 wrote to memory of 2828	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	32
PID 1488 wrote to memory of 2828	1488	4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe	32
PID 2608 wrote to memory of 3064	2608	zevul.exe	35
PID 2608 wrote to memory of 3064	2608	zevul.exe	35
PID 2608 wrote to memory of 3064	2608	zevul.exe	35
PID 2608 wrote to memory of 3064	2608	zevul.exe	35

C:\Users\Admin\AppData\Local\Temp\4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf87f7c0ea6fc6d1f6b9dd3b53fc7ac2f641c8329b6b0f56b1f4d2ec41cc3b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\zevul.exe
  "C:\Users\Admin\AppData\Local\Temp\zevul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\esenk.exe
    "C:\Users\Admin\AppData\Local\Temp\esenk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
3f83b98ebc543a7596da0f19701f9cd8

SHA1
3ce5dab1d85c23f3721cfa4aab6d9e9438914278

SHA256
ff0f86534782d2389216c0f6b2a27f165d53e6af070da71d45fc159bf4522580

SHA512
6c427e9ec53b6a958fa529e1e86f14b5a9353befee95f4f8853d923435eefabb721d4ab78d71f8006a17dec374af739e6f05dd4ce5ebc3051129131ca5c075c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d34020493891ad72d97663742b16d7db

SHA1
4e999085ac8840ce6f155c998e94a3c284079d76

SHA256
75c123db20a3ce9200183b776b4416da42d7b4021871365c46c67d781c509b5f

SHA512
f1d3215ee3e9d974092cbe025a70f80a6b4993c5ffc3832c8968aa5beb8bc186a8bb663922c5a8fea71b08cfc6ab7b357755c5ef09a313c4b32cc608399959e6

Download Submit
\Users\Admin\AppData\Local\Temp\esenk.exe

Filesize
212KB

MD5
5b79c23a852cdbec291807cd291e56ae

SHA1
dbd16cef4d06b9de2fbf517538e323d3c80dbc63

SHA256
7c0820d9acf4ebbf52aa3c3534857afbe621baccdd7578632c72b7fee361797c

SHA512
d09a3d5f170733eb369b47f110fa4de0cfb55e110ebebfa813c25db4980bda4d6c3b542828f0a087291a4f45145b4fd0162c50faa67c0dfbbff7a595297468f0

Download Submit
\Users\Admin\AppData\Local\Temp\zevul.exe

Filesize
427KB

MD5
c719ce294cb90b5759891036fe772516

SHA1
a20378c549ffba363c237089eb00ab8177fde9e2

SHA256
cc62f53ed61427ce1af0df3062953566abff72d8ed33e712059ce78892ad2898

SHA512
bb7735f34d92455ce6a3752c0bb516e212f4044661c57cef877e8e10122d4821906833c0bf8ef4ec723bc82152172a11078af462ba2358301bd034f6c620f9c4

Download Submit
memory/1488-17-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1488-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1488-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2608-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2608-29-0x0000000002080000-0x0000000002114000-memory.dmp

Filesize
592KB

Download
memory/2608-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-32-0x00000000013A0000-0x0000000001434000-memory.dmp

Filesize
592KB

Download
memory/3064-33-0x00000000013A0000-0x0000000001434000-memory.dmp

Filesize
592KB

Download
memory/3064-34-0x00000000013A0000-0x0000000001434000-memory.dmp

Filesize
592KB

Download
memory/3064-36-0x00000000013A0000-0x0000000001434000-memory.dmp

Filesize
592KB

Download
memory/3064-37-0x00000000013A0000-0x0000000001434000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing