urelas | 4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea

General

Target

4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe
Size

429KB
MD5

dacc6d418d072c06eade262b258c043b
SHA1

f7e4c7eedd769c047acc5aab95393817fb88812e
SHA256

4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea
SHA512

091e1a82e3ee97224b4634f2c5ee8bc53ce292f3fb24c2119aa63c5e0536c764ed925f52240ba50e36b90175df9bef56c65053520c780cef914bd612bc5b29a5
SSDEEP

6144:BKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fkKrQ:4ANxU3VH1t19MsAlpX/

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0012000000023ab5-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	mynoz.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	mynoz.exe
1664	ahbuc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahbuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mynoz.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe
1664	ahbuc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 2980	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	88
PID 4188 wrote to memory of 2980	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	88
PID 4188 wrote to memory of 2980	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	88
PID 4188 wrote to memory of 1368	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	89
PID 4188 wrote to memory of 1368	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	89
PID 4188 wrote to memory of 1368	4188	4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe	89
PID 2980 wrote to memory of 1664	2980	mynoz.exe	96
PID 2980 wrote to memory of 1664	2980	mynoz.exe	96
PID 2980 wrote to memory of 1664	2980	mynoz.exe	96

C:\Users\Admin\AppData\Local\Temp\4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe
"C:\Users\Admin\AppData\Local\Temp\4dae6ee0afb7f71b404c713179b1ca685074f082fa15f575f78311e5312092ea.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\mynoz.exe
  "C:\Users\Admin\AppData\Local\Temp\mynoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\ahbuc.exe
    "C:\Users\Admin\AppData\Local\Temp\ahbuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f6f1e0ac9b962fb35bc57a96e2559bb4

SHA1
70e1cd9d47475392f330b67043337e17face7192

SHA256
c32d753df793f73f363aaa6f3001d60a97a558860cd39d8366bbb0cc72ad8abf

SHA512
c769f4e7a51da737de1bf044946b37fd5f1f95042fe4d7ed174acf78916b8a9f2f112bed03d2d6dc67c5423942dffa4026b4e9c8bfd33f2103c6f9eaea360cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahbuc.exe

Filesize
216KB

MD5
cbc1c7cf8b4218708c76b79f8880a978

SHA1
b39079fda6ae859141a0753e20980afa67295e31

SHA256
bb398874d86443c34381a238d17352fa4eeb06c95f9655cb08dcb321456d61b8

SHA512
15da3df85ff2075d48532d238a36ac6a4f166f2b6655bec26686e0bde075120e6061f5d203af83bcedbcebebfe70eef311e1feb3cfd0e1fe7138ae436337dbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
41aab0796d50cc32cc9ae57d1417fc91

SHA1
48bb8d1bf1cd322e363fef144e184b89dca4bbee

SHA256
ef172682ddd8c48940a01c90a15af0a7c436e8eafa8539dee5ef612627ef7a20

SHA512
03185f1460e31ccaf1efbe579dfa21eb27181995777994f32b709113fae18fb3e0d8cfaad1e3b8df79616d452c6b4ead3f532441a6b05632d0e29ac3874644fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mynoz.exe

Filesize
429KB

MD5
7f29fefb8abb3f080e9564d246f9ffec

SHA1
5e64e659a1c370744d127ad9e98755945f6b9d60

SHA256
f9c7ee0a9cd58ed787074484fcf27ddf0545b42da84df4073a044f8a1821a49e

SHA512
4e6e1fa0d195d2763d3a0a31d5150f66e00e3c3e16484e33cb197f6f1d1397aaf562c25f63900819de4b1b8e6bf2e7b5af893badee2940c9c8b7c08daf003f53

Download Submit
memory/1664-28-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/1664-33-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/1664-32-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/1664-27-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/1664-26-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/1664-30-0x0000000000BE0000-0x0000000000C82000-memory.dmp

Filesize
648KB

Download
memory/2980-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-29-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4188-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4188-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing