urelas | 4a962624adb34f6e3f897a5397f351abe1bb08da2cd7f96ff10c7cde8d4068e6

General

Target

0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe
Size

323KB
MD5

0ba7cdd478b3f411d9fdd36169a1a5a0
SHA1

381e4fa18d8e2c4741afc0d961463a690cca9606
SHA256

4a962624adb34f6e3f897a5397f351abe1bb08da2cd7f96ff10c7cde8d4068e6
SHA512

2650399e35ed009370047720ffacd2fbd3f1f8e4c86b89e22e8a757c879a2eb624445e296f44e341317bf2d88ff2314a8ab3f0b5db28c2188f00d42a5e3150f8
SSDEEP

6144:cEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSx0f:cEo/6YnZVB1rkAqcNAzQCed7J1oS8

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2412 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

zibux.exepofov.exe

pid process

3000 zibux.exe
2812 pofov.exe
Loads dropped DLL 2 IoCs

Processes:

0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exezibux.exe

pid process

2136 0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe
3000 zibux.exe

pid	process
2412	cmd.exe

pid	process
3000	zibux.exe
2812	pofov.exe

pid	process
2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe
3000	zibux.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\zibux.exe	upx
behavioral1/memory/2136-8-0x0000000002BC0000-0x0000000002C49000-memory.dmp	upx
behavioral1/memory/3000-17-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2136-19-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/3000-22-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/3000-37-0x0000000003130000-0x00000000031E6000-memory.dmp	upx
behavioral1/memory/3000-39-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

pofov.exe

pid	process
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe
2812	pofov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exezibux.exe

description	pid	process	target process
PID 2136 wrote to memory of 3000	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	zibux.exe
PID 2136 wrote to memory of 3000	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	zibux.exe
PID 2136 wrote to memory of 3000	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	zibux.exe
PID 2136 wrote to memory of 3000	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	zibux.exe
PID 2136 wrote to memory of 2412	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2412	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2412	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2412	2136	0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe	cmd.exe
PID 3000 wrote to memory of 2812	3000	zibux.exe	pofov.exe
PID 3000 wrote to memory of 2812	3000	zibux.exe	pofov.exe
PID 3000 wrote to memory of 2812	3000	zibux.exe	pofov.exe
PID 3000 wrote to memory of 2812	3000	zibux.exe	pofov.exe

C:\Users\Admin\AppData\Local\Temp\0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ba7cdd478b3f411d9fdd36169a1a5a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\zibux.exe
"C:\Users\Admin\AppData\Local\Temp\zibux.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\pofov.exe
"C:\Users\Admin\AppData\Local\Temp\pofov.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
6778423902e30899d74d9bb16997eb87

SHA1
addea5cb9ba9bb8eef34eb12f0c80a297d7a01e9

SHA256
1708d0d9935346d8c17ae7978608b3eb5593a5e34876aca808b69c18cbe4ff2f

SHA512
1bcbdf6a88df029c2cc28ecafbb8a31c7144c115b0219eeb599679c0c499fecd441b06ec52bc5d3fe96194ae90ed2ac700a5243ec615415f281ef0f1a4e23974

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
86d72b0e523b35ede07e8c0b32658f44

SHA1
47ea41d6e07d8f996c4a42760675f38360616ffe

SHA256
a906fff9d263a9534291f59c20136107b5af93ff9ba627ec1dfab621f0f12d6d

SHA512
312eb07d9bc41985e1e7a03e79c07871b53aa7da23832959eb2c145fb62104f3d7d98df7392555b92c4eca4a4d67e7e78fb6ebf98b3946e6a3b463f951fc3030

Download Submit
\Users\Admin\AppData\Local\Temp\pofov.exe
Filesize
241KB

MD5
c1ab72057450338707b60e246a8a816d

SHA1
f4e057585110e0a431af9484787a2125aa03acd5

SHA256
0744998e4e2c94936f98ee71b12f157084bdf63c3b7814ffad6e5b9cf21f75f1

SHA512
7f3e81801386703abe44128c8f4a05006a53177b64ab05ee111dce5f65f9a2065d2871dec995e6801e71b496c66b14ce01a6478b60d663d9c99dec24524eafa9

Download Submit
\Users\Admin\AppData\Local\Temp\zibux.exe
Filesize
323KB

MD5
0ca28999156b471064027001204d4e5b

SHA1
6a928c80da3ada16b72d772bb21ea57c4e93aebc

SHA256
596bda1c2ee3dc5b6ffdc132dbd55633db1a2f4b611b97a39bf7b3e88a00b98a

SHA512
4b70ba45b7f21d12143b61ff5a48afbdfa61c5f2f8c4bcac9a9ed54388c6c1f0dd37aefd5967081f662bf44da553d2f8a1bc3d9df013ade24cfca2cc0001b9f2

Download Submit
memory/2136-8-0x0000000002BC0000-0x0000000002C49000-memory.dmp

Filesize
548KB

Download
memory/2136-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2136-19-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2812-42-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/2812-40-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/2812-43-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/2812-44-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/2812-45-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/2812-46-0x0000000001200000-0x00000000012B6000-memory.dmp

Filesize
728KB

Download
memory/3000-22-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3000-37-0x0000000003130000-0x00000000031E6000-memory.dmp

Filesize
728KB

Download
memory/3000-39-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3000-17-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads