urelas | 144113097b9b329d148501a7be994c4e4b2eb0c5f8aa197e5e58b99f7154293b

General

Target

6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
Size

6.5MB
MD5

6b500846eacd59046fa9c79fce718770
SHA1

357713319a8d77551edb23c85a29fd881cf29339
SHA256

144113097b9b329d148501a7be994c4e4b2eb0c5f8aa197e5e58b99f7154293b
SHA512

3b3f2b33181c64be3976815fdf84396e037773c0b470482866496d5a08e576cbf3551c337bceca9d74e73e7bae79ba68d6ac274b2e59c04f1c8dddbb4560a3c7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSv:i0LrA2kHKQHNk3og9unipQyOaOv

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	urgia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ezbyqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
5232	urgia.exe
3748	ezbyqo.exe
3028	kootd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233aa-63.dat	upx
behavioral2/memory/3028-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3028-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
5232	urgia.exe
5232	urgia.exe
3748	ezbyqo.exe
3748	ezbyqo.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe
3028	kootd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 5232	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	83
PID 4808 wrote to memory of 5232	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	83
PID 4808 wrote to memory of 5232	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	83
PID 4808 wrote to memory of 5912	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	85
PID 4808 wrote to memory of 5912	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	85
PID 4808 wrote to memory of 5912	4808	6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe	85
PID 5232 wrote to memory of 3748	5232	urgia.exe	87
PID 5232 wrote to memory of 3748	5232	urgia.exe	87
PID 5232 wrote to memory of 3748	5232	urgia.exe	87
PID 3748 wrote to memory of 3028	3748	ezbyqo.exe	101
PID 3748 wrote to memory of 3028	3748	ezbyqo.exe	101
PID 3748 wrote to memory of 3028	3748	ezbyqo.exe	101
PID 3748 wrote to memory of 5212	3748	ezbyqo.exe	102
PID 3748 wrote to memory of 5212	3748	ezbyqo.exe	102
PID 3748 wrote to memory of 5212	3748	ezbyqo.exe	102

C:\Users\Admin\AppData\Local\Temp\6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b500846eacd59046fa9c79fce718770_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\urgia.exe
  "C:\Users\Admin\AppData\Local\Temp\urgia.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\ezbyqo.exe
    "C:\Users\Admin\AppData\Local\Temp\ezbyqo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\kootd.exe
      "C:\Users\Admin\AppData\Local\Temp\kootd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:5212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f81537fb6438c5be54f6ec310c7884ff

SHA1
9c0e3f20a6d3ac93202d7e9b6c7fb5f430649863

SHA256
a5fc7f0e4d8f2894449a6f27be34561f67d90fa6bd5ec50b76264ae514496dc1

SHA512
5132814343ab14e429abb7d1a3aa60f8ca361877d7864830cad3346f94f8e441af80ffa298e83c2e164c02a4a2888ab83b5f7fd252ff9d6e86f123b1f0aac973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
2193a22d168154bb12911bfa33c6bb83

SHA1
1ac62a4a250c99af18c692f423292f97c86e86f8

SHA256
026c08121b9fd2bc71f790cc9b49c2e50bb0522ccf3fc9d6c823fa50b5dff8d2

SHA512
f4953ec27a8ae2005d8bfd3f607e498a13b654672b369ddb46e87f4e2af423cf3a4f25e950c96ad5a1554fd130830c8ba40a8b105cb34d8570e675db1f626186

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7455e364527179c01e5f21e5b0b03c8e

SHA1
dbcbdd2132229ad27790d256a8669e6d362c9acf

SHA256
3b8446c8d3fa246da806d032c1f1670a8138258a03e47d7526e40cb3d4449b24

SHA512
9b67ce5623e57a2c452cf19d783eb507e1fb6da8d4ae7969fc259aab030f8f00cd70376035b06406af12a884afba6051b50282cba9151588ebcd28865cd357f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kootd.exe

Filesize
459KB

MD5
69418449b9e2789304000542f90d65ca

SHA1
a0a090f74782da4348c5ac74fac5cdd59dc9df0a

SHA256
e4c9e0c1f08ce6b7755bf30446bbc3fe7616a61b7ff7917528bc95b1cdc6af55

SHA512
4c07f147c18b65a953247a3cac2446b8666ea0315b3c98e46852f3a011a72a4eedf9feccd8e2c719b08155fbfececefdbab96c8a340d1c3535620b69bc5423a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\urgia.exe

Filesize
6.5MB

MD5
57b20abd231c9f9b01cec9af27a23f93

SHA1
2c7abe27c01fd21b651470f53133e6994910b930

SHA256
652812b291f7b420aaee40b6e616e9ed88211dde4989f09722ee076962bfdcd4

SHA512
68e51799dab6ea542b2eda52cc558698902fab232bd823e52b98c97fa4ea6a71c533247ccc586fdd66136e7dc5b1e32553408955ed30ab2d928c636d34440437

Download Submit
memory/3028-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3028-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3748-51-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3748-52-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3748-53-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3748-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3748-54-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3748-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3748-50-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3748-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3748-55-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/3748-49-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4808-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4808-5-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4808-1-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4808-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4808-2-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4808-8-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4808-7-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4808-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4808-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/4808-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4808-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4808-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4808-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5232-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5232-34-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/5232-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5232-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/5232-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5232-28-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/5232-29-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/5232-30-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/5232-31-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/5232-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing