urelas | 92c1e8cd4c189dd0f3670de1facbd3b10db0a1696fce4f7f328c2adc37961fc6

General

Target

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
Size

6.4MB
MD5

5beb5c1df539fdefc47491e06b7c6510
SHA1

fe79e82fa0bc860454fd6c0721fc7c117b7cf23c
SHA256

92c1e8cd4c189dd0f3670de1facbd3b10db0a1696fce4f7f328c2adc37961fc6
SHA512

04edbfdd82b7ffcbd7471b7ac5c2da29c947a74848c7d87b6003576a5da43a84072aad72c2ec9d9b08f8c6004f7a6b8bbfb111611209d4b495a8150903cf30f3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSc:i0LrA2kHKQHNk3og9unipQyOaOc

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2520 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

fowod.exedabyqa.exerojuq.exe

pid process

2500 fowod.exe
1176 dabyqa.exe
1396 rojuq.exe

pid	process
2520	cmd.exe

pid	process
2500	fowod.exe
1176	dabyqa.exe
1396	rojuq.exe

Loads dropped DLL 5 IoCs

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exefowod.exedabyqa.exe

pid	process
2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
2500	fowod.exe
2500	fowod.exe
1176	dabyqa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rojuq.exe	upx
behavioral1/memory/1396-163-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1396-176-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exefowod.exedabyqa.exerojuq.exe

pid	process
2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
2500	fowod.exe
1176	dabyqa.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe
1396	rojuq.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exefowod.exedabyqa.exe

description	pid	process	target process
PID 2196 wrote to memory of 2500	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	fowod.exe
PID 2196 wrote to memory of 2500	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	fowod.exe
PID 2196 wrote to memory of 2500	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	fowod.exe
PID 2196 wrote to memory of 2500	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	fowod.exe
PID 2196 wrote to memory of 2520	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 2196 wrote to memory of 2520	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 2196 wrote to memory of 2520	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 2196 wrote to memory of 2520	2196	5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe	cmd.exe
PID 2500 wrote to memory of 1176	2500	fowod.exe	dabyqa.exe
PID 2500 wrote to memory of 1176	2500	fowod.exe	dabyqa.exe
PID 2500 wrote to memory of 1176	2500	fowod.exe	dabyqa.exe
PID 2500 wrote to memory of 1176	2500	fowod.exe	dabyqa.exe
PID 1176 wrote to memory of 1396	1176	dabyqa.exe	rojuq.exe
PID 1176 wrote to memory of 1396	1176	dabyqa.exe	rojuq.exe
PID 1176 wrote to memory of 1396	1176	dabyqa.exe	rojuq.exe
PID 1176 wrote to memory of 1396	1176	dabyqa.exe	rojuq.exe
PID 1176 wrote to memory of 2200	1176	dabyqa.exe	cmd.exe
PID 1176 wrote to memory of 2200	1176	dabyqa.exe	cmd.exe
PID 1176 wrote to memory of 2200	1176	dabyqa.exe	cmd.exe
PID 1176 wrote to memory of 2200	1176	dabyqa.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5beb5c1df539fdefc47491e06b7c6510_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\fowod.exe
"C:\Users\Admin\AppData\Local\Temp\fowod.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\dabyqa.exe
"C:\Users\Admin\AppData\Local\Temp\dabyqa.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\rojuq.exe
"C:\Users\Admin\AppData\Local\Temp\rojuq.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
bde4995892d5a8fe6759c53298e26850

SHA1
8755d72109f401a12e780f4437a7d14b9b40102a

SHA256
ea8a86f9348707809c1df31c40560519d0accc1c90e2244956ab335c4a109393

SHA512
9335975de4870d9a7cc6d1118c5d27f014a90a5cd6e2cd8850e4ff590a5c626f3bd5208efa99e8a3ce3a55c15ebf8d0e88518a11a87c5f6fadd0e291e576761d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
a8165f163d9ab545285de169675344b2

SHA1
db50944f989467d57346d14239d7831bc9b1937e

SHA256
571ed356a8cbd6ee680de68bc353b8991889386be6bb80467cb2a7d44873cc46

SHA512
9cd0b4fbd131a7dc3d46bef2ea813dec1663d0ea2a3ed27410ec17e6adaf1f175a037d940067d8469acdfc26f6a73ba5952d28839afdee9339f14ad491767e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e296cea35bd105ec7b0269c794c3afd8

SHA1
dd8d6db1e34732c5e9c1234539a3829f8a9a7d8f

SHA256
347dbd9c7d9a157dc2ff9eec1bc4bf2e940cba2081c6fcda648375beff6896b8

SHA512
507548a3cefda12bb56cc249c8cbac8373ab73d627a3dc7d1a3de42443d13787a06902e27ede2cb57664c73027525880a7b816eb0d2369491576e04ce4143e49

Download Submit
\Users\Admin\AppData\Local\Temp\fowod.exe
Filesize
6.4MB

MD5
52198bc1601fbcc2217e7473e618a842

SHA1
f3d0ea359a0685107db7e086046add9e1439c87a

SHA256
fdf8c236585b0c35874e3fd0886f9a8c084e6f3ecf584694c88e119d6148f910

SHA512
71160032709a65805cc8d8f59b96dffe19330a98c3e60ba0a021317ca11d25e9661349ea0d005f242f04ebe06525d844c5f29cf5aa1749685e0dabb9af185d82

Download Submit
\Users\Admin\AppData\Local\Temp\rojuq.exe
Filesize
459KB

MD5
9667106721ed718db9f51698eb5b8b5f

SHA1
59281e92c0c8faaa6bc6f4f57e475772e417e1cb

SHA256
f53b0c66294e21d6c39a7c68a6551be05ac96e281e3067e4fffdc7c9f39bea04

SHA512
cccdbb18e1d300570bce1afa4ce1cea6314c93320715e95e944e7fae9def6f1371efbe5ec7a1beb0139fc209a30765574166166f86c33528986e585f58c88a22

Download Submit
memory/1176-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1176-161-0x0000000004220000-0x00000000043B9000-memory.dmp

Filesize
1.6MB

Download
memory/1396-176-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1396-163-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2196-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2196-63-0x0000000003970000-0x000000000445C000-memory.dmp

Filesize
10.9MB

Download
memory/2196-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2196-26-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2196-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2196-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2196-31-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2196-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2196-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2196-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2196-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2196-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2196-56-0x0000000003970000-0x000000000445C000-memory.dmp

Filesize
10.9MB

Download
memory/2196-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2196-87-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2196-24-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2196-21-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2196-19-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2196-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2196-9-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2196-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2196-12-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2196-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2500-116-0x0000000003CA0000-0x000000000478C000-memory.dmp

Filesize
10.9MB

Download
memory/2500-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2500-66-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2500-73-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2500-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2500-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2500-68-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2500-76-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2500-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2500-81-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2500-78-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2500-83-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2500-86-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2500-89-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads