urelas | e7c54961d58e2bc9c6da716cec5cb4d8336437c9cc15901ee8e3f7a23666f744

General

Target

069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
Size

468KB
MD5

069aa0e3df9c8016e4f601aa09dad6c0
SHA1

e96a79c1d02a145afaf0be07561907ddc191ca0d
SHA256

e7c54961d58e2bc9c6da716cec5cb4d8336437c9cc15901ee8e3f7a23666f744
SHA512

0b262ed6b5138ff0abbab16b6af274b2ff8c0955fa45baf641f72ba43d4144b008720caf14e144e6345e70f88f112a421c5b16df47abdfe11c0dcbb86f70739b
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmY:LMpASIcWYx2U6hAJVG

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2728	vihie.exe
2600	fywaof.exe
1572	sihem.exe

Loads dropped DLL 4 IoCs

pid	Process
1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
2728	vihie.exe
2600	fywaof.exe
2600	fywaof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2728	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2728	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2728	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2728	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2796	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 2796	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 2796	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 2796	1688	069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe	29
PID 2728 wrote to memory of 2600	2728	vihie.exe	31
PID 2728 wrote to memory of 2600	2728	vihie.exe	31
PID 2728 wrote to memory of 2600	2728	vihie.exe	31
PID 2728 wrote to memory of 2600	2728	vihie.exe	31
PID 2600 wrote to memory of 1572	2600	fywaof.exe	34
PID 2600 wrote to memory of 1572	2600	fywaof.exe	34
PID 2600 wrote to memory of 1572	2600	fywaof.exe	34
PID 2600 wrote to memory of 1572	2600	fywaof.exe	34
PID 2600 wrote to memory of 1620	2600	fywaof.exe	35
PID 2600 wrote to memory of 1620	2600	fywaof.exe	35
PID 2600 wrote to memory of 1620	2600	fywaof.exe	35
PID 2600 wrote to memory of 1620	2600	fywaof.exe	35

C:\Users\Admin\AppData\Local\Temp\069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\069aa0e3df9c8016e4f601aa09dad6c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\vihie.exe
  "C:\Users\Admin\AppData\Local\Temp\vihie.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\fywaof.exe
    "C:\Users\Admin\AppData\Local\Temp\fywaof.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\sihem.exe
      "C:\Users\Admin\AppData\Local\Temp\sihem.exe"
      4⤵
      Executes dropped EXE
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
8ba3166fb8b69f6644c37169f55958bb

SHA1
7afe8de6d7702104d0c9d3743e894fba9a4f8f52

SHA256
bbe0b08203e11525117366559418099f6d9b289f5c9413c7f1b0b59fb5b39472

SHA512
c3c43d1f88bcedd793bc3fdf8400441180aa6296c82396898dd130317327379e6ec84a3bf7e17e53ee7db56715e2d4162604c42725063bb25440267899dd4262

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f798fe51725b7c438bb41cae438a901a

SHA1
140c173223247df0f9c99168a05c1613935c5797

SHA256
05263b98a2dd5d669e50bcc83ba34f909f8ca52864133f4d5e34ac88fc01edfa

SHA512
8ccc4ee793de07ad7e2399283ed02f245efb4d37b5cfe65da542a92fb5073e1ad1f3351e5ec748df042cfb52265fd240aa04d2b19e8ff49571ede7c3b98dd94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fywaof.exe

Filesize
468KB

MD5
4990a68b51510981400a9a0967f75fc3

SHA1
1e0dbfdac506640fc6d64410f0f34fa6704e2bd9

SHA256
74ed37c21291cc14e5d8ca1dde12c063abe319d7ad1e9dc617f5c327bce1cf2b

SHA512
8db426cd1befe83e2d4f4a185061e7349328bdaeeea3f448749e19bc10d8fc606d38a30be634209ac1ef558c9dbd801e615882619f68bed395b06243b777652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bb6b67ad2162ea8822c5359bf6a0d70d

SHA1
b9161c449b662b8e968321eb80b3fdc8aabfbb6d

SHA256
5598d17318b5c6ad60c9b7b02399565ffbc90b6f394d64e9a9a8ae96743e2a0f

SHA512
6cafb2c2595ece0da44fbb74851ae34326d5cea66dcaa1106ede481c0724c4e101ff4ec8206b431625f3fe45d97b308fb0b61c34f026cf38486c98d042f79359

Download Submit
\Users\Admin\AppData\Local\Temp\sihem.exe

Filesize
223KB

MD5
1a338e1d45dd0a529ba839cbd3d7d453

SHA1
3e6a8f2b8b46580f8a5775b599bbc37c59931d07

SHA256
21c782eb185d17371b0bcfbd0a540f0828987f7e54731be83210fe2a2c900732

SHA512
cb0605e4e095026087c76535b90cf0654d9391eb0f1a6fc0b0a5bd3fd4d3e10c5c71935a116a907ab489b96e7e46e4d85ee1725e6b539ae25ed53ef582085720

Download Submit
\Users\Admin\AppData\Local\Temp\vihie.exe

Filesize
468KB

MD5
13890422cf9dadc1c4aeaa1548752fb9

SHA1
6153878965bce26ffb7453cb55b627c732c7f550

SHA256
2006d71af0cc20bb8e9b591b6d7aed0877d18e21f147c44db981503230ad3ef9

SHA512
2dd2c7dd5bb4a3360281742a0ae41a62a4fa8b15ecb1444f94b83cfed4989220d6249f3a276af291e18a9cc8d0eff06f21d512220fc52229498ec9ff1e38de7f

Download Submit
memory/1688-8-0x0000000002BE0000-0x0000000002C4E000-memory.dmp

Filesize
440KB

Download
memory/1688-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1688-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2600-33-0x0000000003BD0000-0x0000000003C70000-memory.dmp

Filesize
640KB

Download
memory/2600-39-0x0000000003BD0000-0x0000000003C70000-memory.dmp

Filesize
640KB

Download
memory/2600-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2728-27-0x0000000002110000-0x000000000217E000-memory.dmp

Filesize
440KB

Download
memory/2728-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing