urelas | bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
Size

633KB
MD5

5130a002bfbf98adc1b58e752ea819a8
SHA1

9145d33b663d58ba1e1f7f04470b167e7854a46f
SHA256

bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0
SHA512

e70be66fa061c1655a4251bc5cb5412081f29e98f00e561faed56b60455d54f2ffb21f52fccc93fb1a44490bfceb74e03585400073b9776e43da1e3a1f47d8ac
SSDEEP

12288:5U7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsdt:5UowYcOW4a2YcOW4y

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3016	ancuz.exe
1856	jican.exe

Loads dropped DLL 3 IoCs

pid	Process
2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
3016	ancuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jican.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ancuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe
1856	jican.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3016	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	31
PID 2372 wrote to memory of 3016	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	31
PID 2372 wrote to memory of 3016	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	31
PID 2372 wrote to memory of 3016	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	31
PID 2372 wrote to memory of 2792	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	32
PID 2372 wrote to memory of 2792	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	32
PID 2372 wrote to memory of 2792	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	32
PID 2372 wrote to memory of 2792	2372	bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe	32
PID 3016 wrote to memory of 1856	3016	ancuz.exe	35
PID 3016 wrote to memory of 1856	3016	ancuz.exe	35
PID 3016 wrote to memory of 1856	3016	ancuz.exe	35
PID 3016 wrote to memory of 1856	3016	ancuz.exe	35

C:\Users\Admin\AppData\Local\Temp\bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe
"C:\Users\Admin\AppData\Local\Temp\bfd20666885e06258c877d771b853c06bb449abaf099d3f7d786301f152c71a0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\ancuz.exe
  "C:\Users\Admin\AppData\Local\Temp\ancuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\jican.exe
    "C:\Users\Admin\AppData\Local\Temp\jican.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1e5dc63fbc6896f0ee8522c3d9f1b437

SHA1
7d410356452a8b68d924c25249d03246761f7c63

SHA256
74dccddc058a2786dd365296be2377f6249d0bf77dccb43d7f9a9ca1a851c145

SHA512
11ca009cefde0d2fb14435f1e0fa39736a5498733b16dbaa2d9f53dc337d922c610c5414b407a59891bf6435b7fc73ebce4477d977ec826e5a6c8890e5346475

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c236dfa916ad803c5f19cd7f9de456c1

SHA1
ee7899eb1dcef0ea646b6e41884c8d28c22f62df

SHA256
391d5903f4f28657a78de488af32b4b77e87d395726336da210d01f9ab649870

SHA512
6bb14738c202c6beec5759eaeda17711e065152bc7b72aadc5bfd7673c45271d43eae34bd3499e8ed9d44f74237575b82d9ea6e3135834bd781e9e2bf47ad30d

Download Submit
\Users\Admin\AppData\Local\Temp\ancuz.exe

Filesize
633KB

MD5
3e1a4ac55e21410247293b7ada2a7c8f

SHA1
e574459f544d9775162ba651188ca816d6ce9fa0

SHA256
eee8313cd37bff6aa14ec1b5ce35fe30dd9a4a77badf5a77ea984fd5050eab6d

SHA512
bfcae08290508e51968234e8eea969475f5dd392ba45c7b46f6e394c487d58eadf59173e8d1d1385f4742d83cd460eac24d462a5800d3aa862dcbf175c57d68e

Download Submit
\Users\Admin\AppData\Local\Temp\jican.exe

Filesize
212KB

MD5
fda6085aef2aba018bf642ee7907506f

SHA1
b62f3fd1ad23a9bc870e46ba7009783c5400c18d

SHA256
8357cbb03c6914b164adef991cad47abacb830ac55e1c0d1b398363ca522fa9d

SHA512
2b80bab5b44738540add0dcf7c05989a78d7ae4e696ff04b4282ca0644213014c2f0ec7e9af5305fc8affc5eaff72c87ba27c2cfd514ee59667ad9060d3137fd

Download Submit
memory/1856-38-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-39-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-36-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-40-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-34-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-33-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-32-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-31-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/1856-37-0x00000000003E0000-0x0000000000474000-memory.dmp

Filesize
592KB

Download
memory/2372-20-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2372-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2372-11-0x0000000002590000-0x000000000262B000-memory.dmp

Filesize
620KB

Download
memory/3016-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3016-23-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download