urelas | 4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
Size

292KB
MD5

6e91f34c4b411dbfd5700e9c26ec9e50
SHA1

cda3d2eed281fa65a830c0a420b1494a6ad19ad3
SHA256

4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54
SHA512

1d3f7d8fd836994e130584599f41142f89f4258e82e3f6f5457875479ece1d1e30a7cfe20ec2fc0e9a36f15cbbe0062604e0d623cf791a90ff8e62e5092a03c5
SSDEEP

6144:tfkEtfjev+ueKJD68yXWsutct2XhhbbQ5iL/Zd:tvdP+yXpuWw3nQ5Yz

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023c8c-9.dat	aspack_v212_v242
behavioral2/files/0x0002000000022188-50.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	entom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	gosydy.exe

Executes dropped EXE 3 IoCs

pid	Process
4896	entom.exe
2168	gosydy.exe
1440	qegod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gosydy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qegod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	entom.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe
1440	qegod.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4896	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	83
PID 2968 wrote to memory of 4896	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	83
PID 2968 wrote to memory of 4896	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	83
PID 2968 wrote to memory of 1928	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	84
PID 2968 wrote to memory of 1928	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	84
PID 2968 wrote to memory of 1928	2968	4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe	84
PID 4896 wrote to memory of 2168	4896	entom.exe	86
PID 4896 wrote to memory of 2168	4896	entom.exe	86
PID 4896 wrote to memory of 2168	4896	entom.exe	86
PID 2168 wrote to memory of 1440	2168	gosydy.exe	104
PID 2168 wrote to memory of 1440	2168	gosydy.exe	104
PID 2168 wrote to memory of 1440	2168	gosydy.exe	104
PID 2168 wrote to memory of 3660	2168	gosydy.exe	105
PID 2168 wrote to memory of 3660	2168	gosydy.exe	105
PID 2168 wrote to memory of 3660	2168	gosydy.exe	105

C:\Users\Admin\AppData\Local\Temp\4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe
"C:\Users\Admin\AppData\Local\Temp\4a83aac8e229fd8007f39ad18a282e5f6d2ea35dbb45495f00b4d6cc8ff40d54N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\entom.exe
  "C:\Users\Admin\AppData\Local\Temp\entom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\gosydy.exe
    "C:\Users\Admin\AppData\Local\Temp\gosydy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\qegod.exe
      "C:\Users\Admin\AppData\Local\Temp\qegod.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7c16303c60e66e2b958c80e478fd57d7

SHA1
8161d987cebef704438efd70d635f768ea575428

SHA256
54dcfce3a2d5b60cddb82f3a69a3903c420bdab25df2f839880d625a24a5d2dc

SHA512
0eed435fb33bcbf02b2e4a69af8e73a1cf7f9ab2afa5faa8ce8185081db23e1a2c9c758c30bf88039fcf852b4268d2feeb0608132dd9520cb1df2ed0d0fb7989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
fd421fd548d7d4baa4c0b879d002b3ac

SHA1
c576e390744166b07012631d71b3f154ae2d1c19

SHA256
a1a48c2dcba16088ccfb641a5e1053337efe1f95bdd3fe66211101d457391f86

SHA512
8b0e9a436abc3dccfe696831fc27e6c3c0012a2de84932a5cf7e9bb05a4311c01baa6dd2b4c05d158d10eac52903da3ed1bcd1db55ee9a015d4c99411c3ade1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\entom.exe

Filesize
292KB

MD5
6f4aecb911dab49a88c5848aa68eef15

SHA1
da2188b91660ac2f8e8b412288f78e78cffc6306

SHA256
da0ad76f4b2d1409c02c72f45ad46e9e29301358c1505ae2a55db8d6f822aa6e

SHA512
2d01d57b451b801769ad6ebe8d3984b789ab6c9a5b5b10f7c4c87ab2d1c234e10c3c7e5aba689518515b6b5053737396df20352d1a8bde6274b44def4a699508

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b743bd387101cab0497e6a84d077783

SHA1
ff1c6bb77b480a2bf84fb5fdf42ddf191ae826b1

SHA256
c4a3a7b7c721ac18c5bf4b91ae9df878224af1e49465c5ab897f13f10a8eac7a

SHA512
9ab587820678e580d6e572611ad560b023f9bd9c02f9758322d18a56c60d9c8b6084154417762a82c2728bd460ac702a102b2b558383b320ee30d7c5ba919f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\qegod.exe

Filesize
216KB

MD5
7de317f023556ff708946484e850dca3

SHA1
94dc0f3c53b3ef9c53b69db1c1da2237e627b735

SHA256
c67f9db7a1b43380b0fe36812c415d747a9d51f79f02d7be44e06fd7cb230b7e

SHA512
79bc3c5db1ca7baaf348e55a87ef2fc16d601ca3048129ea753ecc22f85a092bc90cffcff1cebbb328a813f5757bea199087b54683084a18a53c5d7e8907bdb4

Download Submit
memory/1440-65-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-56-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-59-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-66-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-60-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-58-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/1440-64-0x0000000000D30000-0x0000000000DD2000-memory.dmp

Filesize
648KB

Download
memory/2168-36-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-34-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-37-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2968-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2968-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2968-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2968-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2968-22-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4896-20-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4896-32-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4896-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4896-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4896-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download