urelas | d447f64c4aa1dadc7784a9b09d73b5240c6f0acda63b626de1850a93362daeb2

General

Target

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
Size

421KB
MD5

40f25f8a225b34817bef30699aac5470
SHA1

89d601340a802e868839dbc2cfcd60f96566194c
SHA256

d447f64c4aa1dadc7784a9b09d73b5240c6f0acda63b626de1850a93362daeb2
SHA512

d708174bca5cdd52fc4dcad69ddcc4825849837f0d9c61f4e83aa00f4d9c8af0e3abe0ede14f20b519b8543fc821308dda093d9402fc51d7454526a377c7ae14
SSDEEP

6144:SclgVrkccVxjfYNftqZe9+Hc0RLG0aOBAf70GbjUwMD9n/lR7e+XpMSJ:BeVoDVxjQ1gXHcuLHBS/MD9tR71j

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2120 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

zymur.exeduhyg.exe

pid process

2204 zymur.exe
1664 duhyg.exe
Loads dropped DLL 2 IoCs

Processes:

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exezymur.exe

pid process

2820 40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
2204 zymur.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2120	cmd.exe

pid	process
2204	zymur.exe
1664	duhyg.exe

pid	process
2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
2204	zymur.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

duhyg.exe

pid	process
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe
1664	duhyg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exezymur.exe

description	pid	process	target process
PID 2820 wrote to memory of 2204	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	zymur.exe
PID 2820 wrote to memory of 2204	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	zymur.exe
PID 2820 wrote to memory of 2204	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	zymur.exe
PID 2820 wrote to memory of 2204	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	zymur.exe
PID 2820 wrote to memory of 2120	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 2820 wrote to memory of 2120	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 2820 wrote to memory of 2120	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 2820 wrote to memory of 2120	2820	40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe	cmd.exe
PID 2204 wrote to memory of 1664	2204	zymur.exe	duhyg.exe
PID 2204 wrote to memory of 1664	2204	zymur.exe	duhyg.exe
PID 2204 wrote to memory of 1664	2204	zymur.exe	duhyg.exe
PID 2204 wrote to memory of 1664	2204	zymur.exe	duhyg.exe

C:\Users\Admin\AppData\Local\Temp\40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40f25f8a225b34817bef30699aac5470_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\zymur.exe
"C:\Users\Admin\AppData\Local\Temp\zymur.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\duhyg.exe
"C:\Users\Admin\AppData\Local\Temp\duhyg.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
9f5a871960caf6302d2910541feac4bc

SHA1
94b604aff860e61405ec1a84a9153530a28e4c65

SHA256
7e7f1c73858059edd975dde4f7387265bca2b2bc6682036ddf66a15100a1431c

SHA512
963ef95e3ecc7a9a86c15cfb270594a8f1c466f84bf0938bb27862fefdac16cf94442dc3b8e009fe6b29a18d8fa51f9d838a1784feee638f3f7102c8c8adaff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e5ae82927493d04ad3db80763113ead0

SHA1
80ec855c28b553bca6f2a52f35e9942f7b86bbd3

SHA256
7baa05f89f52667ce28aaa2dd9fc3b1a5880b968917c89c6ac55eb7c3e2a04c9

SHA512
0e0dc08b0141422988353d1b28ae34f0b997b00e4459a7e1b773ca5e8de939fe71f5a4636e071ae4a8285da3f496ddce9a83b8cee46ebf9a8f7d26a2c89d6988

Download Submit
C:\Users\Admin\AppData\Local\Temp\zymur.exe
Filesize
422KB

MD5
0ea90fbee32f68498b0c9a8bc91b3b13

SHA1
70dd02d0fd96e2f8929aed14d2029217fe7a639b

SHA256
746e0dd6d67a5c512af2e76951256c2ccf772844e980246dfbb4e8f1b182a3b4

SHA512
6af22231a771d09ec5a4976301fea1578cc5944d801f32a4cf88617eb71a4383a6a46833b02e98a60f9e05d59590251a67fb212624fb8936240c516843b2cc55

Download Submit
\Users\Admin\AppData\Local\Temp\duhyg.exe
Filesize
227KB

MD5
688abe4ca7844f03a8197ed98a8fee49

SHA1
a339e682a2fa835e141836c76bff12ef77aa821e

SHA256
8cdf0c4f09bbe58179a48f40f009b60c06e1d9a90a5bfcbfd1aacc011b01f14c

SHA512
3d0cf03d05f8131d56f5462e9cb51ce799f9884f6b11dc315b25b0fc08d94790ed17165e96b9f95bbd77cbf41280c0b45d06359060616e3cf8ddf0e122982f56

Download Submit
\Users\Admin\AppData\Local\Temp\zymur.exe
Filesize
422KB

MD5
e0eed257a9e0047f5cefc6eef5e4d719

SHA1
bba979a8df90f5ccbab94c04ee544e750dbf49d6

SHA256
9f499a5486cfd8a9e75bdf655822bda1171bde8795da8af1123427c821455cf1

SHA512
d4c506708343568b66786d050b6c0ac88478b29fd85664968914567a565d9fb3c26cb40434c140e98c514b1a379735650a34d153119f196aadfa28321f0b1cde

Download Submit
memory/1664-33-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/1664-29-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/1664-32-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/1664-34-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/1664-35-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/1664-36-0x0000000000A60000-0x0000000000B04000-memory.dmp

Filesize
656KB

Download
memory/2204-21-0x0000000000D00000-0x0000000000D6C000-memory.dmp

Filesize
432KB

Download
memory/2204-28-0x0000000000D00000-0x0000000000D6C000-memory.dmp

Filesize
432KB

Download
memory/2204-10-0x0000000000D00000-0x0000000000D6C000-memory.dmp

Filesize
432KB

Download
memory/2820-6-0x0000000002970000-0x00000000029DC000-memory.dmp

Filesize
432KB

Download
memory/2820-0-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/2820-18-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing