urelas | 158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59

General

Target

158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
Size

633KB
MD5

ee07eb90a59c28a4fc93077c5c594070
SHA1

62dcfb3695ceb68f2da971da724c20abc87e51ab
SHA256

158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59
SHA512

7a9332da6b43709fa84955fe0dc37588dbf25d71b954b38425e0158243b0134c16b1b38712157f9933b10105ddb7efb77a8701ee990f37ed66c67a03abb304bb
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsd/:5UowYcOW4a2YcOW4s

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000703-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	mixyp.exe

Executes dropped EXE 2 IoCs

pid	Process
4152	mixyp.exe
2148	xitod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xitod.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe
2148	xitod.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4152	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	82
PID 3680 wrote to memory of 4152	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	82
PID 3680 wrote to memory of 4152	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	82
PID 3680 wrote to memory of 3760	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	83
PID 3680 wrote to memory of 3760	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	83
PID 3680 wrote to memory of 3760	3680	158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe	83
PID 4152 wrote to memory of 2148	4152	mixyp.exe	94
PID 4152 wrote to memory of 2148	4152	mixyp.exe	94
PID 4152 wrote to memory of 2148	4152	mixyp.exe	94

C:\Users\Admin\AppData\Local\Temp\158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe
"C:\Users\Admin\AppData\Local\Temp\158dd8b3fe1809b172949ee4fcce6f0c3a896efee4b3b5236525f31c021f5a59N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\mixyp.exe
  "C:\Users\Admin\AppData\Local\Temp\mixyp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\xitod.exe
    "C:\Users\Admin\AppData\Local\Temp\xitod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d7ea169707b71490a67796d977ee26d0

SHA1
15048f219c9d584665e7031c0c24ed97e7cffefa

SHA256
ad87c5660922c6c2de559c15b08323feb0986f6d553c72a0fa51e008e7fca9b5

SHA512
1374280e95b319c9ff1cdfc27565accd6f7f31f415bbb85f6f0b6ab5a5fda518696ba8a281cb559c8fc1c25466fbf1a40a2d899725db1bf600f88f2c03dcbc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8fbb398f5d53a480a4ec5afefca40f0

SHA1
8852854ca1ddee401b836e06642a5745ebb46533

SHA256
246c52da8fa0911a1fd7915c318b9505e62ee9213b71752d5d943adbec55d2c1

SHA512
dbbc0c15a13bfdaf918dfc0766a849923354ca4750aecdb74cfb6acf2c3532702d743ce36b55b3f365ecf46e4f853b577c27e8c564965ecd589e1b50fa6781c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mixyp.exe

Filesize
633KB

MD5
bc1d2f402cdd2fb4a6591712abeafd87

SHA1
1e07f5cb2dd4a5bf1e6beec4b902567cdea14cb8

SHA256
2ba432406ade8d42fc650b38c7f6a32771769a54552bd5bc1833361bb2f3afcf

SHA512
0d8234a05a78477d2f869f1acf8b1d29c07a40f441c6cbe7b1a2a3bc38ae97b3506b26205709b1a48d635240c8d713f2b3f44956288f7feb1c0305baaf4b9b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xitod.exe

Filesize
212KB

MD5
694876d7f81a394a4cdd8a06747849d2

SHA1
75da5bb7ee28c78746894a5e01908bcce6fb36c1

SHA256
1990cc6275a50bf177d9edc1f011db6eebd3b0e9eb63097b3d9eec83e6efb0e4

SHA512
402cd54f0f520ed05836ee151ba18b8e2f7907f31b5b5adbcbe854a222b844b736fa57fe7e10222808254c30a89c42e6572fc11eeea410578272fe11239e090c

Download Submit
memory/2148-25-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/2148-28-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/2148-27-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/2148-26-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/2148-31-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/2148-32-0x0000000000D60000-0x0000000000DF4000-memory.dmp

Filesize
592KB

Download
memory/3680-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3680-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4152-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4152-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing