urelas | efbfdb4e4673402686c4cefa55e1f34eee026615b70b06b9bad40f07cbcd0fad

General

Target

6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe
Size

365KB
MD5

6497276021f583f26c60188ca0e18930
SHA1

e8b38782979babaeb5dad7c8894e0b35fae25941
SHA256

efbfdb4e4673402686c4cefa55e1f34eee026615b70b06b9bad40f07cbcd0fad
SHA512

af61d6a94ad332acf139a1a5da5917c5fc0c92308c3c8b2215c65743e705a1105e56e3548e23740224f4b0cc66f5e4065b09674e2b06fe1b786335475ca8002d
SSDEEP

6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62p+:OzGL2C2aZ2/F1WHHUaveOHjTC

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2308 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

qocam.exeejroh.exe

pid process

2064 qocam.exe
2368 ejroh.exe
Loads dropped DLL 3 IoCs

Processes:

6497276021f583f26c60188ca0e18930_NeikiAnalytics.exeqocam.exe

pid process

2072 6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe
2064 qocam.exe
2064 qocam.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2308	cmd.exe

pid	process
2064	qocam.exe
2368	ejroh.exe

pid	process
2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe
2064	qocam.exe
2064	qocam.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ejroh.exe

pid	process
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe
2368	ejroh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6497276021f583f26c60188ca0e18930_NeikiAnalytics.exeqocam.exe

description	pid	process	target process
PID 2072 wrote to memory of 2064	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	qocam.exe
PID 2072 wrote to memory of 2064	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	qocam.exe
PID 2072 wrote to memory of 2064	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	qocam.exe
PID 2072 wrote to memory of 2064	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	qocam.exe
PID 2072 wrote to memory of 2308	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	cmd.exe
PID 2072 wrote to memory of 2308	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	cmd.exe
PID 2072 wrote to memory of 2308	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	cmd.exe
PID 2072 wrote to memory of 2308	2072	6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe	cmd.exe
PID 2064 wrote to memory of 2368	2064	qocam.exe	ejroh.exe
PID 2064 wrote to memory of 2368	2064	qocam.exe	ejroh.exe
PID 2064 wrote to memory of 2368	2064	qocam.exe	ejroh.exe
PID 2064 wrote to memory of 2368	2064	qocam.exe	ejroh.exe

C:\Users\Admin\AppData\Local\Temp\6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6497276021f583f26c60188ca0e18930_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\qocam.exe
  "C:\Users\Admin\AppData\Local\Temp\qocam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\ejroh.exe
    "C:\Users\Admin\AppData\Local\Temp\ejroh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
66de5e3c497ffc05f778d6f9cdb5046d

SHA1
7dc1b2ba3d7f04d3366b93d3a9ca3220a1120a67

SHA256
eb48fae57a89542c7c4db9a51c9c850181f44cac621ec4a8fa64808f50db03a9

SHA512
7ae2e80879a9b3e452b4d256dba366ddc15a2e2a9a0bca2ba3cede55454af084eac8399d879e9604c398d3310871b09e7a954f01a53a6a35e0b8deb49838e575

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejroh.exe

Filesize
303KB

MD5
817204eeccfc4dae25c5829384c0b1a3

SHA1
5a5a86652cc14b2f25f64a8f30623dfff2b65f50

SHA256
ecb6070a759945435214a726b0a6520acfafcf77ba410dfe098bbe8a35506b82

SHA512
e208b20bde16cd47fb6d570e2e5831406c8a347690eee07a35c94558afbf16e47eddc94c9a911401d57aa33938f2875d0c874c69f8362c31c86b08eed2a60df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fe531d9379f11098fcd9856a2cae54bb

SHA1
917c7e5f3c4ebfd33e262c934f26854578905d01

SHA256
7b234256c84aa11d0d9499f7a6c481b25d4d85863e48957498b22526800a7113

SHA512
f3490cf649b474daee0fbb08a9d8b303c8305c23c77ed4076023d3f744610bf2335ce00aacfb2483e72ba012c636070fa6f5365988c0285d82996a709a3c94d3

Download Submit
\Users\Admin\AppData\Local\Temp\qocam.exe

Filesize
365KB

MD5
a093c82617af4217f46b4009a07bcf06

SHA1
a5ab985097363518f08a57c8e51bcf3bad3711e4

SHA256
37685891b02fbba3be1e860750388e090ccdf38ed183b72cfcc620bb23977d20

SHA512
c1a9f7b0bfb2de23f5665f4da5c86c1c867976c7ece3f6fcedbc1b7d0b9e611bd98ac83fca503fc9d6e05704a24e82cdf49d0e2902da9532b0d8f5c3b94150bc

Download Submit
memory/2064-11-0x0000000000E10000-0x0000000000E72000-memory.dmp

Filesize
392KB

Download
memory/2064-29-0x0000000000E10000-0x0000000000E72000-memory.dmp

Filesize
392KB

Download
memory/2072-0-0x0000000000CF0000-0x0000000000D52000-memory.dmp

Filesize
392KB

Download
memory/2072-6-0x0000000002AC0000-0x0000000002B22000-memory.dmp

Filesize
392KB

Download
memory/2072-18-0x0000000000CF0000-0x0000000000D52000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing