urelas | cbf4e053ab5c115ee21d830c19c92f8444eb4e675f80be1a7cba3271bc77712d

General

Target

1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe
Size

6.5MB
MD5

1ea2b63f430e4462a61b7b10815d5e00
SHA1

0d74f8131c0bca4a686016751af4b2f344eddace
SHA256

cbf4e053ab5c115ee21d830c19c92f8444eb4e675f80be1a7cba3271bc77712d
SHA512

ea36bc7a1fd638095577b5845e7952470696187236ad0efc4a5531b7efc59bc728413992250cf163f0ebd3b7ff469381c8633648fc95c815b0c9cee0f940ef40
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSC:i0LrA2kHKQHNk3og9unipQyOaOC

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2340 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ryjib.exehuqomi.exexucee.exe

pid process

2704 ryjib.exe
1988 huqomi.exe
892 xucee.exe

pid	process
2340	cmd.exe

pid	process
2704	ryjib.exe
1988	huqomi.exe
892	xucee.exe

Loads dropped DLL 5 IoCs

Processes:

1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exeryjib.exehuqomi.exe

pid	process
1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe
1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe
2704	ryjib.exe
2704	ryjib.exe
1988	huqomi.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\xucee.exe	upx
behavioral1/memory/892-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/892-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exeryjib.exehuqomi.exexucee.exe

pid	process
1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe
2704	ryjib.exe
1988	huqomi.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe
892	xucee.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exeryjib.exehuqomi.exe

description	pid	process	target process
PID 1192 wrote to memory of 2704	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	ryjib.exe
PID 1192 wrote to memory of 2704	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	ryjib.exe
PID 1192 wrote to memory of 2704	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	ryjib.exe
PID 1192 wrote to memory of 2704	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	ryjib.exe
PID 1192 wrote to memory of 2340	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	cmd.exe
PID 1192 wrote to memory of 2340	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	cmd.exe
PID 1192 wrote to memory of 2340	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	cmd.exe
PID 1192 wrote to memory of 2340	1192	1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe	cmd.exe
PID 2704 wrote to memory of 1988	2704	ryjib.exe	huqomi.exe
PID 2704 wrote to memory of 1988	2704	ryjib.exe	huqomi.exe
PID 2704 wrote to memory of 1988	2704	ryjib.exe	huqomi.exe
PID 2704 wrote to memory of 1988	2704	ryjib.exe	huqomi.exe
PID 1988 wrote to memory of 892	1988	huqomi.exe	xucee.exe
PID 1988 wrote to memory of 892	1988	huqomi.exe	xucee.exe
PID 1988 wrote to memory of 892	1988	huqomi.exe	xucee.exe
PID 1988 wrote to memory of 892	1988	huqomi.exe	xucee.exe
PID 1988 wrote to memory of 2948	1988	huqomi.exe	cmd.exe
PID 1988 wrote to memory of 2948	1988	huqomi.exe	cmd.exe
PID 1988 wrote to memory of 2948	1988	huqomi.exe	cmd.exe
PID 1988 wrote to memory of 2948	1988	huqomi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ea2b63f430e4462a61b7b10815d5e00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\ryjib.exe
"C:\Users\Admin\AppData\Local\Temp\ryjib.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\huqomi.exe
"C:\Users\Admin\AppData\Local\Temp\huqomi.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\xucee.exe
"C:\Users\Admin\AppData\Local\Temp\xucee.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
0ead29f3fcfd28ce158205afa21b84f8

SHA1
b1c266500a4376309c1bd48c40c8cebc05578acc

SHA256
ebe0bc7557ba1b33ea071c7477c6ab92e04714a1c310104337d2fc0ac943c4fd

SHA512
1f97d7887d4f8ec442da33c1bd13bc55633ecfb3d75cea2c03a4115cfafdd6421074629f18f9245e7b883f3449366db0279ea288577f15fc8a10f55b821616ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
afa4f6a941fc02ed56e190d1794a19b0

SHA1
58155ac07ffb740104209a745c40b9aa01b3774c

SHA256
11bd68654ee376f14ae28e2dc2c280b4d88789b48b2902c1bdd6463b621af465

SHA512
3cba2172eb63249bcd0604a2c3c7b54c773fa21f26f84e411544b44249d1812f09d5c2bf1682885ed9297c673c5b5817c07ea98ee6a65ca28d5c2830adeccd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f4921e49e547684bd839867703439d8b

SHA1
c22d6d0e72320b3c8fbffd1c9be96ea824daec3d

SHA256
5082f8232e6b6814cd86e373af1ff949b1e54d4be9eb862ae7894ce4d5e14a14

SHA512
93a9e440b9becde4e53440e118d77e8fb9b6280d6b78d23817cda9d2c1df9c177de47b237e345e8246a5926f2e09cc9f614b0e1ced9589a3ae934b0795521b49

Download Submit
\Users\Admin\AppData\Local\Temp\ryjib.exe
Filesize
6.5MB

MD5
2871e7e129c530babf2dd083c50f1b4a

SHA1
2f185b4d6e049c4cccc1ddc1d9c7ee0e38c2d78e

SHA256
4134fa1ecda553babd1f8048e4e94d4b88efcb2aef37e17bddcc714d3ba9a3e6

SHA512
accb329dbb4155cb180ccf34395ea52ef096aec593567ec93c5c677b1dd54dd0d7c66f4411c35641e72d4fcc06548702ac04078f19cc515543bc8984f9cd1744

Download Submit
\Users\Admin\AppData\Local\Temp\xucee.exe
Filesize
459KB

MD5
91281b520f0cd97f988cbfb274ed550f

SHA1
21a7081c261bb1637209ad186f74466cc90fc8ae

SHA256
a4783c5f431431aba60b132633e8da5745b725c4944e67f9d3f1bb949139b37d

SHA512
c11bdb950dd354b8d6bcdf30372ae6066399a106c91d18ee60580791d8474e3486df725580695ce1d296d11d4bc9545ff28f391a4e5c6df34f2d51b8b0e90493

Download Submit
memory/892-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/892-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1192-57-0x0000000004000000-0x0000000004AEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1192-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1192-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1192-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1192-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1192-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1192-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1192-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1192-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1192-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1192-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1192-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1192-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-58-0x0000000004000000-0x0000000004AEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1192-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1192-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1192-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1192-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1988-159-0x0000000004860000-0x00000000049F9000-memory.dmp

Filesize
1.6MB

Download
memory/1988-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-79-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2704-77-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2704-111-0x00000000042D0000-0x0000000004DBC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-82-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2704-84-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2704-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2704-89-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2704-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads