urelas | 060925840131f267857344edc2c2c4ca8aa8e4d20b029f8e35baec4c92f8debc

General

Target

624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
Size

368KB
MD5

624efc1dbe90125eddada90974fdace0
SHA1

f7f33cdd1c1d1da5de95dec6affc70be0dfeb711
SHA256

060925840131f267857344edc2c2c4ca8aa8e4d20b029f8e35baec4c92f8debc
SHA512

bbae1bdb52932a1fd008cd03520f891da91cd4845d8fb00acaa112d0426474e33fa2a24d6915d08a4f78724382f9ad94affeb7cbb53debd4688ccbd7aed1c174
SSDEEP

6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62psW:OzGL2C2aZ2/F1WHHUaveOHjTH

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2564 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

jaesh.exevuhai.exe

pid process

2948 jaesh.exe
1216 vuhai.exe
Loads dropped DLL 3 IoCs

Processes:

624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exejaesh.exe

pid process

2008 624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
2948 jaesh.exe
2948 jaesh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2564	cmd.exe

pid	process
2948	jaesh.exe
1216	vuhai.exe

pid	process
2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
2948	jaesh.exe
2948	jaesh.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

vuhai.exe

pid	process
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe
1216	vuhai.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exejaesh.exe

description	pid	process	target process
PID 2008 wrote to memory of 2948	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	jaesh.exe
PID 2008 wrote to memory of 2948	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	jaesh.exe
PID 2008 wrote to memory of 2948	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	jaesh.exe
PID 2008 wrote to memory of 2948	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	jaesh.exe
PID 2008 wrote to memory of 2564	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	cmd.exe
PID 2008 wrote to memory of 2564	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	cmd.exe
PID 2008 wrote to memory of 2564	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	cmd.exe
PID 2008 wrote to memory of 2564	2008	624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe	cmd.exe
PID 2948 wrote to memory of 1216	2948	jaesh.exe	vuhai.exe
PID 2948 wrote to memory of 1216	2948	jaesh.exe	vuhai.exe
PID 2948 wrote to memory of 1216	2948	jaesh.exe	vuhai.exe
PID 2948 wrote to memory of 1216	2948	jaesh.exe	vuhai.exe

C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\624efc1dbe90125eddada90974fdace0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\jaesh.exe
  "C:\Users\Admin\AppData\Local\Temp\jaesh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\vuhai.exe
    "C:\Users\Admin\AppData\Local\Temp\vuhai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
78add4663005c31146bb2733aeb55be6

SHA1
2c221c8fc625dab5f62e0c9d091006d8e0038364

SHA256
24d8cec81bb75923aaebc8c866f88cda3cad285adc883682e09f6076714b2c1c

SHA512
d4a7bd6087a4ea90c568ee425ea9958e5aeb0c5b0097d2a76217bb1a7ab2a8aac0e475544807212bd83b59539900e24004c20523c47dc58f44c3f5922354935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ce6fb2c366d3642dce262b5893e3fd7

SHA1
9600ef81a49d1875051a143ff58fdddc2e85faf2

SHA256
a6e432d8949546eab0a8558e563c30f16fbfaf27f131db535a802c8964958547

SHA512
95b70e9bda2067779a0adb6122dff5637cd4852d5b303fcd2dd51c618e2d369063bada5e8bfcf06d6a665892f615e1d6e3994c964f7225b38697756e1d67451c

Download Submit
\Users\Admin\AppData\Local\Temp\jaesh.exe

Filesize
368KB

MD5
1baf7a92fb78a3ce44719f163d3d2726

SHA1
ee602bdc286ab601662a1ef4bd3574cb9caee655

SHA256
89c8ba3779f0aa96b2189dfc48a9ad6215c43a8fdb7b5d959cd56a880e0d6611

SHA512
2f5ae3371a923ce4163cebf06eec8ca9c9f385801a13226efbddd3e75266e8cab79d670c313a456adf279e3c1c571088edc2966ffa162d9e499300ea49319a91

Download Submit
\Users\Admin\AppData\Local\Temp\vuhai.exe

Filesize
303KB

MD5
e9267e44a64f6273c64ad5a545f05073

SHA1
8ff4b536a674e798152e63300f6ab1779308046e

SHA256
47f57ef4066370f2fc9909ee6b6c8c774546eaade6df64c04cec89bd9f9a614e

SHA512
3d91b47f080c5c09b508eba27cd2474d7b21c861404ee527e0c14b0b7e28984c4dbcff74fb1c911603c00ee610547a30cf768a6f4123408c251b13a355ae1824

Download Submit
memory/2008-0-0x00000000002D0000-0x0000000000332000-memory.dmp

Filesize
392KB

Download
memory/2008-15-0x00000000022B0000-0x0000000002312000-memory.dmp

Filesize
392KB

Download
memory/2008-18-0x00000000002D0000-0x0000000000332000-memory.dmp

Filesize
392KB

Download
memory/2948-16-0x0000000000C20000-0x0000000000C82000-memory.dmp

Filesize
392KB

Download
memory/2948-30-0x0000000000C20000-0x0000000000C82000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing