urelas | 0e5558661eb5f41024501a214e450206e8000f27d528053126db9055df520d27

General

Target

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
Size

331KB
MD5

0a5299aad2c051d927fbf424d98bb080
SHA1

d70a7563a998e324969a42b0a346eb5079513e08
SHA256

0e5558661eb5f41024501a214e450206e8000f27d528053126db9055df520d27
SHA512

1113535074cf4a4b06ed86bc9694ebfafdb882cce759ed09fbd65e0d0676e51192b2e31f2a3eddfb61afbeffc8209239c8a55ddbc05ed33cdac0ad0f017d0a5b
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iA:ytCLD7+51gxeq3gOU9EEQrhMz

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3060 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

egamt.exeobdoul.exebaudo.exe

pid process

2496 egamt.exe
2684 obdoul.exe
1888 baudo.exe

pid	process
3060	cmd.exe

pid	process
2496	egamt.exe
2684	obdoul.exe
1888	baudo.exe

Loads dropped DLL 5 IoCs

Processes:

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exeegamt.exeobdoul.exe

pid	process
2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
2496	egamt.exe
2496	egamt.exe
2684	obdoul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

baudo.exe

pid	process
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe
1888	baudo.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exeegamt.exeobdoul.exe

description	pid	process	target process
PID 2184 wrote to memory of 2496	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	egamt.exe
PID 2184 wrote to memory of 2496	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	egamt.exe
PID 2184 wrote to memory of 2496	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	egamt.exe
PID 2184 wrote to memory of 2496	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	egamt.exe
PID 2184 wrote to memory of 3060	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 3060	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 3060	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 2184 wrote to memory of 3060	2184	0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe	cmd.exe
PID 2496 wrote to memory of 2684	2496	egamt.exe	obdoul.exe
PID 2496 wrote to memory of 2684	2496	egamt.exe	obdoul.exe
PID 2496 wrote to memory of 2684	2496	egamt.exe	obdoul.exe
PID 2496 wrote to memory of 2684	2496	egamt.exe	obdoul.exe
PID 2684 wrote to memory of 1888	2684	obdoul.exe	baudo.exe
PID 2684 wrote to memory of 1888	2684	obdoul.exe	baudo.exe
PID 2684 wrote to memory of 1888	2684	obdoul.exe	baudo.exe
PID 2684 wrote to memory of 1888	2684	obdoul.exe	baudo.exe
PID 2684 wrote to memory of 1860	2684	obdoul.exe	cmd.exe
PID 2684 wrote to memory of 1860	2684	obdoul.exe	cmd.exe
PID 2684 wrote to memory of 1860	2684	obdoul.exe	cmd.exe
PID 2684 wrote to memory of 1860	2684	obdoul.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a5299aad2c051d927fbf424d98bb080_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\egamt.exe
  "C:\Users\Admin\AppData\Local\Temp\egamt.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\obdoul.exe
    "C:\Users\Admin\AppData\Local\Temp\obdoul.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\baudo.exe
      "C:\Users\Admin\AppData\Local\Temp\baudo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
a011fbf19e5e6d993f257224c8c022ba

SHA1
19d0e28f14ee707c0a2adbddf93b3d7204b4fbe4

SHA256
0f99d4760105424657c8d593e87b17ab5890381a8cea295396b6baae5657ca14

SHA512
385d72981735bffa898b761b1122246dffc6c3cd2cb6b5b91d9b27e3d1beb742538218d30e457ecf8bf517848618ea4e37a73c9c2275fb8fa8e8b7cfd9530229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d0060ea3c331e2a48f613fef7ae7560e

SHA1
74d384e1e3ed66343807bbdbc63bd807670270d7

SHA256
6226a1e6cfb8ff015e1d88675d15603d8bff3400b05c62871481d1ca4f2af26b

SHA512
650c6aea9093d58e8d0e8c075e8f1b7883467ab4feebaa254115f6e4b9b5ce70ad2356880efe5e51d67f0f02685ce7fdc35fbed999ec52c15ae3625518893419

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
da23d5d7a77a12b531982f7f6a75301c

SHA1
4e51a92da80c4faa8777cf57e334020588a03ca5

SHA256
7bf8fe9b07fdb53110babc8a58bdaa50528faad5f2b9eecef98dba8b621b2f0b

SHA512
32cd374e2602ea024823340f68c29bfa4ad99736907972f26cf20bc27b8df96a916ec651add6fc5353c6060f14c3a40926aa90b1db7d8ffb463fe387bfd87e97

Download Submit
\Users\Admin\AppData\Local\Temp\baudo.exe

Filesize
223KB

MD5
8bf9af36c55615a40b2fdfda1a58f4fd

SHA1
50e7c58baa374c47bb4872fabaa28d331d5a4104

SHA256
f4f2171d1789f68a0322a0e10116043090a6a1a78d37205abc4d8960fa016068

SHA512
3de5c1740123310e9c3ba1fad877e53a1243a46a9afcea86d99df9f60c06ef517c67cc0fdd3db7b0e2238d0d75022105119c216cdce6553903e91e13d1560e75

Download Submit
\Users\Admin\AppData\Local\Temp\egamt.exe

Filesize
331KB

MD5
8ef8b07e13f39b5e196a037acf3ad8fb

SHA1
86b41ed2710c2eaad4e5582f189031e98dcd9ba4

SHA256
a4fcc3ed45f975e1accc986fdc081655415ef53b1801e6a8e2ce6c410f770849

SHA512
87c4db78b1991bf74f642fb3c50f078deaa43994f8174002df045cb8a9110cc0295a68db6e5683caf27667d070da14241dcaa3b19ecc8915351c94dd1fb645b1

Download Submit
\Users\Admin\AppData\Local\Temp\obdoul.exe

Filesize
331KB

MD5
91c26fe431173884f8e13266a1a5ca31

SHA1
83965bd878a7db65f72745c612ef4205d9ffc9db

SHA256
1d79e63c0e5b2328c45ea361665ed3baaa0b97d0682f9bb79d4ff2edc34670c5

SHA512
41fc0600beb547d54f126bab3d3117d9e84b9c694b02b5b43183409f9481b08568079cf5e8da947c02d5b3179006f960bfec79daeac4647fea86d171fd4c0e21

Download Submit
memory/1888-65-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/1888-70-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/1888-73-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/1888-72-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/1888-71-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/1888-69-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/2184-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2184-11-0x00000000028C0000-0x0000000002927000-memory.dmp

Filesize
412KB

Download
memory/2184-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-33-0x0000000003790000-0x00000000037F7000-memory.dmp

Filesize
412KB

Download
memory/2496-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2496-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2684-54-0x0000000003110000-0x00000000031B0000-memory.dmp

Filesize
640KB

Download
memory/2684-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2684-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2684-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads