urelas | a4d64a25831dd6e81d68c5440a8fc4f90dc36ee25f09edfbdaf48ca2f769f22d

General

Target

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
Size

6.4MB
MD5

49a9bdb4c48e07556808db66f8a48020
SHA1

294cb0633320606d818ac0297145ed5098fb1bb5
SHA256

a4d64a25831dd6e81d68c5440a8fc4f90dc36ee25f09edfbdaf48ca2f769f22d
SHA512

9d8d30ec8b0edeea82e529469cb10efee3587528b6b65e182711a75d35fde72328cc486edc6d57aa94732162ca2771bc0091c80aaedab999cf322365a5fc8d5d
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVST:i0LrA2kHKQHNk3og9unipQyOaOT

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2896 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

goxap.exepesoso.exenosuv.exe

pid process

2796 goxap.exe
2976 pesoso.exe
2280 nosuv.exe

pid	process
2896	cmd.exe

pid	process
2796	goxap.exe
2976	pesoso.exe
2280	nosuv.exe

Loads dropped DLL 5 IoCs

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exegoxap.exepesoso.exe

pid	process
3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
2796	goxap.exe
2796	goxap.exe
2976	pesoso.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nosuv.exe	upx
behavioral1/memory/2976-161-0x00000000047C0000-0x0000000004959000-memory.dmp	upx
behavioral1/memory/2280-166-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2280-176-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exegoxap.exepesoso.exenosuv.exe

pid	process
3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
2796	goxap.exe
2976	pesoso.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe
2280	nosuv.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exegoxap.exepesoso.exe

description	pid	process	target process
PID 3068 wrote to memory of 2796	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	goxap.exe
PID 3068 wrote to memory of 2796	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	goxap.exe
PID 3068 wrote to memory of 2796	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	goxap.exe
PID 3068 wrote to memory of 2796	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	goxap.exe
PID 3068 wrote to memory of 2896	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 2896	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 2896	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 2896	3068	49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe	cmd.exe
PID 2796 wrote to memory of 2976	2796	goxap.exe	pesoso.exe
PID 2796 wrote to memory of 2976	2796	goxap.exe	pesoso.exe
PID 2796 wrote to memory of 2976	2796	goxap.exe	pesoso.exe
PID 2796 wrote to memory of 2976	2796	goxap.exe	pesoso.exe
PID 2976 wrote to memory of 2280	2976	pesoso.exe	nosuv.exe
PID 2976 wrote to memory of 2280	2976	pesoso.exe	nosuv.exe
PID 2976 wrote to memory of 2280	2976	pesoso.exe	nosuv.exe
PID 2976 wrote to memory of 2280	2976	pesoso.exe	nosuv.exe
PID 2976 wrote to memory of 1604	2976	pesoso.exe	cmd.exe
PID 2976 wrote to memory of 1604	2976	pesoso.exe	cmd.exe
PID 2976 wrote to memory of 1604	2976	pesoso.exe	cmd.exe
PID 2976 wrote to memory of 1604	2976	pesoso.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49a9bdb4c48e07556808db66f8a48020_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\goxap.exe
"C:\Users\Admin\AppData\Local\Temp\goxap.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\pesoso.exe
"C:\Users\Admin\AppData\Local\Temp\pesoso.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\nosuv.exe
"C:\Users\Admin\AppData\Local\Temp\nosuv.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
c8a8270e2415a8f1b082d40ecb0341ef

SHA1
5536e17828b871ca45b1f20a9fd013f83e78f53d

SHA256
d00e0d99d08e137a7cc49b91b4b978130ce5f995a92bbbec274fede578027cda

SHA512
e906014f77985afe0a21331c3c82ea6c8af35d279cf237cb76a5a80ac92da7a448e430ed97d7c1c32fbc6a1a95c1e7bc5e2064ba6d5b59b2e66d8d06f5217add

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
306B

MD5
026d0eab2c0ce12a4771f90694fe2d9b

SHA1
6609caa2c92d91f71b9218ac21c65e9bd221d3ba

SHA256
e8aa3a727423132bffe02c29cd7e1d6dac352a04660ca3c0ea098fe541386b33

SHA512
75ddb3b8bf0cf270a892cdb66309803523bb9fad028d0fdc64c333012831f884da67bf2abdf4282ffe6605810fdba5ba1871125d65f08c4792c61568c617baaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
eef0f0d603c2f966b650d6afd80859d5

SHA1
db25e767685445611a6010abff01390de9bc3e81

SHA256
a751e439541614fee40f581893c42305a33483a50f594e2dc349afceb824a0ab

SHA512
f0036d043c34a87da044341907499f38d75a32ef71e46eae794554847633ca0d444414938da8b0588480b4234173e80ae7cf1930466be287804e8cfec35603fd

Download Submit
\Users\Admin\AppData\Local\Temp\goxap.exe
Filesize
6.4MB

MD5
3072bc9b7055a6d20f57d6d9158461af

SHA1
f4d3963a3e9fa5f81bd2f50484720ad065fd284f

SHA256
7d7f036824fe3aadde2d45786dbc7208edd1aa5a5a146ee2f4489d6d32912ab4

SHA512
9c58567e8dd650816e495f94289dd30f8b3d6626918f3393a249dd012431c9bb47e7a27c567eb0a29494572356dd9cb2373f178924a566a278099284e324ff62

Download Submit
\Users\Admin\AppData\Local\Temp\nosuv.exe
Filesize
459KB

MD5
b03345845669f16bbe94ae7aad04f823

SHA1
2fa80d155472665580736025bf9dd14015a3686f

SHA256
ddebfdaa00539a9b068a802cda776d4873b4d7d72e0df482622b0c4772d5e5b4

SHA512
344d467c79d0c9f8bdb8bfe0b44936937edfb6bc4730fbf7ba1f99254bcd8dc5795369c4bf14c58df1faec190ec7a8071839dd7fdc7cee79d6c9092882112e0e

Download Submit
memory/2280-176-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2280-166-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2796-85-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-78-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2796-113-0x0000000004510000-0x0000000004FFC000-memory.dmp

Filesize
10.9MB

Download
memory/2796-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2796-70-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2796-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2796-75-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2796-112-0x0000000004510000-0x0000000004FFC000-memory.dmp

Filesize
10.9MB

Download
memory/2796-80-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2796-83-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2796-88-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-90-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2976-161-0x00000000047C0000-0x0000000004959000-memory.dmp

Filesize
1.6MB

Download
memory/2976-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3068-57-0x0000000004280000-0x0000000004D6C000-memory.dmp

Filesize
10.9MB

Download
memory/3068-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-59-0x0000000004280000-0x0000000004D6C000-memory.dmp

Filesize
10.9MB

Download
memory/3068-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3068-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3068-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3068-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3068-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3068-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3068-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3068-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3068-28-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3068-30-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3068-33-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3068-35-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads