urelas | 158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59

General

Target

158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
Size

633KB
MD5

ee07eb90a59c28a4fc93077c5c594070
SHA1

62dcfb3695ceb68f2da971da724c20abc87e51ab
SHA256

158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59
SHA512

7a9332da6b43709fa84955fe0dc37588dbf25d71b954b38425e0158243b0134c16b1b38712157f9933b10105ddb7efb77a8701ee990f37ed66c67a03abb304bb
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsd/:5UowYcOW4a2YcOW4s

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015d9a-28.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	imhic.exe
2840	cuqox.exe

Loads dropped DLL 3 IoCs

pid	Process
2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
3064	imhic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imhic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuqox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe
2840	cuqox.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3064	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	30
PID 2068 wrote to memory of 3064	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	30
PID 2068 wrote to memory of 3064	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	30
PID 2068 wrote to memory of 3064	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	30
PID 2068 wrote to memory of 2468	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	31
PID 2068 wrote to memory of 2468	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	31
PID 2068 wrote to memory of 2468	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	31
PID 2068 wrote to memory of 2468	2068	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	31
PID 3064 wrote to memory of 2840	3064	imhic.exe	34
PID 3064 wrote to memory of 2840	3064	imhic.exe	34
PID 3064 wrote to memory of 2840	3064	imhic.exe	34
PID 3064 wrote to memory of 2840	3064	imhic.exe	34

C:\Users\Admin\AppData\Local\Temp\158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
"C:\Users\Admin\AppData\Local\Temp\158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\imhic.exe
  "C:\Users\Admin\AppData\Local\Temp\imhic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\cuqox.exe
    "C:\Users\Admin\AppData\Local\Temp\cuqox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d7ea169707b71490a67796d977ee26d0

SHA1
15048f219c9d584665e7031c0c24ed97e7cffefa

SHA256
ad87c5660922c6c2de559c15b08323feb0986f6d553c72a0fa51e008e7fca9b5

SHA512
1374280e95b319c9ff1cdfc27565accd6f7f31f415bbb85f6f0b6ab5a5fda518696ba8a281cb559c8fc1c25466fbf1a40a2d899725db1bf600f88f2c03dcbc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
300808f93e7c209a15261acc5d9c593c

SHA1
76d6750d3bc3ff5febc6ac566e05e0b0a342acae

SHA256
b80d6673b74864402e312b7f8f4b4b56e72de2ac128b945e61b78eee86f2b0cd

SHA512
478cc6b33b0788cb4dded5a2712b3484281a34bd132bf9cdabf0f4547cd54d78e77011b18eb739d989a1ac1ab9efcf89646896e8a22b1d3964ef6549f138f08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imhic.exe

Filesize
633KB

MD5
25be7c3bf036e1f706389fa9ae3767ae

SHA1
68b56e41dee593ea7341a4c12d570bd73fca4864

SHA256
47554dc5b6edb52ce608bb08fe749a88a8ae99d3509ae7399f5adfe66362b56d

SHA512
3adcb66d8aebc8901297f77567a25141024729cb85fe2934afd95a901e7f7ea67d7c8679a57af626a861677a01f396106325162daca30323679b9e5ed655cdbd

Download Submit
\Users\Admin\AppData\Local\Temp\cuqox.exe

Filesize
212KB

MD5
0a5f667c1a669b204c80d5cf3cece6fc

SHA1
b5c34b8f38f78798ae4e36f912eca6dc813d3282

SHA256
c72c60ba697e1903a094fc3b2f58ec747811b1110eb2c5faa2bad4dcdb909922

SHA512
60831034234af0c1dbcb6b976d7703af122385b951fc3a276f213c6b01d7bd7c1ef9af2923cc274c6b49fe18a2940a06490d668881903b982ca6c20818558495

Download Submit
memory/2068-19-0x00000000026D0000-0x000000000276B000-memory.dmp

Filesize
620KB

Download
memory/2068-20-0x00000000026D0000-0x000000000276B000-memory.dmp

Filesize
620KB

Download
memory/2068-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2068-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2840-37-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/2840-40-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/2840-39-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/2840-33-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/2840-35-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/2840-36-0x00000000000D0000-0x0000000000164000-memory.dmp

Filesize
592KB

Download
memory/3064-25-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3064-32-0x0000000003C20000-0x0000000003CB4000-memory.dmp

Filesize
592KB

Download
memory/3064-34-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3064-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing