urelas | 36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287d

General

Target

36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe
Size

429KB
MD5

bfedaa7cf44ae6de64199a8da54d1c20
SHA1

6be2677184a1605313f0c3f9f3f266498392ec1f
SHA256

36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287d
SHA512

e4304bc6dee379b674a91a3cd1866781228a2312038ee637986f7cd4260e493b0c2c601a82dcffc2efeee126df35392826b5a018440812fa5ccd12c3eb7088af
SSDEEP

6144:BKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKrg:4ANxU3VH1t19MsAlpX9

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000900000001daf5-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	zaixs.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	zaixs.exe
3964	jamoz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaixs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jamoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe
3964	jamoz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4492	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	88
PID 1476 wrote to memory of 4492	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	88
PID 1476 wrote to memory of 4492	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	88
PID 1476 wrote to memory of 3832	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	89
PID 1476 wrote to memory of 3832	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	89
PID 1476 wrote to memory of 3832	1476	36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe	89
PID 4492 wrote to memory of 3964	4492	zaixs.exe	94
PID 4492 wrote to memory of 3964	4492	zaixs.exe	94
PID 4492 wrote to memory of 3964	4492	zaixs.exe	94

C:\Users\Admin\AppData\Local\Temp\36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe
"C:\Users\Admin\AppData\Local\Temp\36ad6b7b48a4b31dfde27a17cd8e78953034d3616d6cd8dadd5b02d33c80287dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\zaixs.exe
  "C:\Users\Admin\AppData\Local\Temp\zaixs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\jamoz.exe
    "C:\Users\Admin\AppData\Local\Temp\jamoz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
7c345ecb135f90a2a0e8be57910f9c8c

SHA1
fd44b692f71ebf35fd3ddfa42d6f803bca2d96a0

SHA256
4f83c1ec93cb5e5c22f3acc7b31b14c960aacaaf82a3bcdf59b536435b97bbf3

SHA512
316a868650fb321bdad995dcae635f4d0566f72dab0c660649f7f48cec4c24250a50254876ea9790be4cb7dcd636fddbf7579d8a506676ab67acfb0d052ff09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
201d6f6b436c750f83207302d247d21b

SHA1
b6c05646bc9be5f3b9089e46aec4bad873160dad

SHA256
a21774f1bb190ea2ced96c40ec6e0af62d26a8344cfb8fc69800a6460361c078

SHA512
b60e42489071c000c3132841cbf5ff5c47e728a2173f5424639bd6a4dc50f98abcfa6cc403444ff35f95b8980a59d5337040eec03f72600071aea16145577be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamoz.exe

Filesize
216KB

MD5
feca448f7a4070a087faa8bb1fe1c3bc

SHA1
d2e27d61904d799ab6deef3bcf2403e347309968

SHA256
b47455caab074c6cbf8c23d538f2599655b2858b6f81b5a010ffcee0a04bab3c

SHA512
3a17aa8cc44136a61a10e2b5324de8812e775b91d98b3f16c2d0884ca3185a9fbbf0ffe2c4dfc18ce4c8efef7e5c64c686eed060262f941cdf914c64977dc88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaixs.exe

Filesize
429KB

MD5
21f6dd6252448a0fc9e58fa89ff784b0

SHA1
8bb5e1162965757a08314c8d0058f51a79377b3d

SHA256
5a21a0a117986d02aad78f78775c9db216ec9106c6fb720b209aef3c1d0ebcbb

SHA512
b3912064bcb0be8e55d8f709f58d974cd49442ee1f6d396e5c108901485397203e70ed79c00166b5a0b5ee5e029c30ea23ef473b1ee108242e3dd6c1b662b2c7

Download Submit
memory/1476-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1476-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3964-28-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/3964-27-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/3964-26-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/3964-25-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/3964-31-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/3964-32-0x0000000000760000-0x0000000000802000-memory.dmp

Filesize
648KB

Download
memory/4492-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4492-29-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing