urelas | f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916

General

Target

f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
Size

633KB
MD5

b6fcc67a9b78bb28d5bc74158357e28e
SHA1

ce94d1931bef3c8733228d6d72c9a360f215f2be
SHA256

f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916
SHA512

adf0977a1873edaf5a3850c97a11ee1e0e2b7faba10964670e86183229844fbdd41df0f2231794f11a0d423c36687aa0a162d73471c96b19df543ebebd334d37
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsd3:5UowYcOW4a2YcOW4s

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d000000015d79-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	opfuz.exe
2792	woter.exe

Loads dropped DLL 3 IoCs

pid	Process
2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
2764	opfuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opfuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woter.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe
2792	woter.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2764	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	31
PID 2684 wrote to memory of 2764	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	31
PID 2684 wrote to memory of 2764	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	31
PID 2684 wrote to memory of 2764	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	31
PID 2684 wrote to memory of 2408	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	32
PID 2684 wrote to memory of 2408	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	32
PID 2684 wrote to memory of 2408	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	32
PID 2684 wrote to memory of 2408	2684	f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe	32
PID 2764 wrote to memory of 2792	2764	opfuz.exe	35
PID 2764 wrote to memory of 2792	2764	opfuz.exe	35
PID 2764 wrote to memory of 2792	2764	opfuz.exe	35
PID 2764 wrote to memory of 2792	2764	opfuz.exe	35

C:\Users\Admin\AppData\Local\Temp\f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe
"C:\Users\Admin\AppData\Local\Temp\f72169dfd962fc95e8c86d356d07c35cd96873260f5d31523c11dc93236af916.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\opfuz.exe
  "C:\Users\Admin\AppData\Local\Temp\opfuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\woter.exe
    "C:\Users\Admin\AppData\Local\Temp\woter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
da10abeb4dfac4621f590a9af1d3c77a

SHA1
991dfda107240588182ae1d67aba33e549094c8c

SHA256
163610e949e1abf0093d02a79f9d44d96d00adbf1d14165138b0fc196c55caba

SHA512
3db6a6502c7407d1e2bba2a29ebdd8c840d2f632e539bebe4d0d1e8d950ef8605fbd482ee7342313476052a3495eba06ab0ba5099a99dfc5af55645856e5d949

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b1d479e84ee8cadb2b1374045fe5e465

SHA1
acd262785a7e422e47677d67d30fcc47601f21dd

SHA256
8c74ebeeeb8c17c3b15a8b9409b70117e9aee46e5f82d46f85be9099063e013f

SHA512
8e5aeab4eb8e1e62b51ad03263ad9b19c640c73e3c9c8c02fd22776ae84189f0e738648617b2715a00204d5e007c2a5fc274e8e111e6ffd5533267dc63c363e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\opfuz.exe

Filesize
633KB

MD5
5c02da027c5145bfb775b23451096b46

SHA1
e44dd439fb28be797c0c400bf1f2013d3c731634

SHA256
cf873fe2a63389c3d690c4883f4b5d201e007db32e15fceb1e8cd17e6cebf74c

SHA512
698d20d4be9bc93c0ea5e04e9a611e488cad6cfceaeeddd4f3925e60f18a3574f9c91652eb8f71f3eabed8e5a8cbbfa2d5a1b31ef0088efaf495d77dc115d3f8

Download Submit
\Users\Admin\AppData\Local\Temp\woter.exe

Filesize
212KB

MD5
87818ec67a26aa6e301c8b14b347b1a7

SHA1
1d235fe1fed9afd837d2d2122b1514dcc68721e0

SHA256
b85eecad6d9e26dbeb56c664e10d36dd5cb7c4dbdb8f3f7f57057b6fc1d273bd

SHA512
28ebc3d39aa97f9cf6e1b25c173962fe19cf12a6342a6c3bc7cd9071c827acc7da2234e9be2ab67e0efb7dbfeac2c304eb3e96e2d8062008823dd2b62bee190b

Download Submit
memory/2684-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2684-18-0x00000000029A0000-0x0000000002A3B000-memory.dmp

Filesize
620KB

Download
memory/2684-23-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2764-30-0x00000000031D0000-0x0000000003264000-memory.dmp

Filesize
592KB

Download
memory/2764-24-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2764-20-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2764-32-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2792-35-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/2792-36-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/2792-34-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/2792-33-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/2792-38-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download
memory/2792-39-0x0000000001360000-0x00000000013F4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing