urelas | 3a02891b63435bfe0f26fa9c8f3f901bf249ea85a053244bb1c31c92c91f6a42

General

Target

3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe
Size

392KB
MD5

3b446e52eb17a8fb7c415290bde786c0
SHA1

29ca3592c7648d6864fa06a612f011feec381d30
SHA256

3a02891b63435bfe0f26fa9c8f3f901bf249ea85a053244bb1c31c92c91f6a42
SHA512

4bbfc881da171b1ee801214ce727b54d307c4887de2495e554c4a61ca66519d5ba122555920dbd5f2142c0e11091de6e24d02115ad9951e6d9300f1210739d26
SSDEEP

6144:e8efQ6QPJGcLbjg08fLsGH+revgLIAP1fXo1Eppwsnaa:n6QPJGcE0rGereYdPc6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2668 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

efwal.exezuaja.exe

pid process

3004 efwal.exe
1676 zuaja.exe
Loads dropped DLL 2 IoCs

Processes:

3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exeefwal.exe

pid process

2976 3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe
3004 efwal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2668	cmd.exe

pid	process
3004	efwal.exe
1676	zuaja.exe

pid	process
2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe
3004	efwal.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

zuaja.exe

pid	process
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe
1676	zuaja.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exeefwal.exe

description	pid	process	target process
PID 2976 wrote to memory of 3004	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	efwal.exe
PID 2976 wrote to memory of 3004	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	efwal.exe
PID 2976 wrote to memory of 3004	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	efwal.exe
PID 2976 wrote to memory of 3004	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	efwal.exe
PID 2976 wrote to memory of 2668	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	cmd.exe
PID 2976 wrote to memory of 2668	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	cmd.exe
PID 2976 wrote to memory of 2668	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	cmd.exe
PID 2976 wrote to memory of 2668	2976	3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe	cmd.exe
PID 3004 wrote to memory of 1676	3004	efwal.exe	zuaja.exe
PID 3004 wrote to memory of 1676	3004	efwal.exe	zuaja.exe
PID 3004 wrote to memory of 1676	3004	efwal.exe	zuaja.exe
PID 3004 wrote to memory of 1676	3004	efwal.exe	zuaja.exe

C:\Users\Admin\AppData\Local\Temp\3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b446e52eb17a8fb7c415290bde786c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\efwal.exe
  "C:\Users\Admin\AppData\Local\Temp\efwal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\zuaja.exe
    "C:\Users\Admin\AppData\Local\Temp\zuaja.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
306B

MD5
5d899049758985793eac9f7b9511e51b

SHA1
41f4a44166dfb617192beabe2c38b1d487ac9533

SHA256
d2a9a6a3d939f44a2c689594eb34c33831cd429da57d5ad3254ca9176b9a40ef

SHA512
08b35219f2749f604916e67a2835df15d56605971ff27d7e3b00dbdffeb4bd3a9b83669be2927a55da7083dd691e304d6e65c563a051a2db0899ba14c9f8244c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e0d37f9cb83e0b95b76a7946b3f4d59e

SHA1
e8ad56c2bc94f8cfec404649f722cc9e969ebeb0

SHA256
7637ac0df9240aa24dfa36858de9fa7ca80384cdc946afa77b81325616e72226

SHA512
eaf3832250a65055264c5353cffb9625d3a5ed89b58f8a95880dbe0ee13ee02c19ef78b32a15065eb78a022268953af202461d5d2e28c783828ffb6c81d93cab

Download Submit
\Users\Admin\AppData\Local\Temp\efwal.exe

Filesize
392KB

MD5
a48d31359a5954996b255d034314abe3

SHA1
994ee28942a1f97d88a4bb86f33d9f422bf9bc85

SHA256
bd1fd5277708648f85a54f4ba38fd887401cd85f5134b4b4e443f435b657a49b

SHA512
b915c1ff61d4c49e643b91c6d720175190c0fbfc729d1ebf850afbfee3721974e09fda0121426a8edd8dcd3e0b0493970e82b5125b7b849ce9b15a4f07b2d04b

Download Submit
\Users\Admin\AppData\Local\Temp\zuaja.exe

Filesize
291KB

MD5
6a498e60613c123b23dc192c4e68d080

SHA1
5107b7a9587367737efe344beeb78bbe06c0a667

SHA256
be9fc83dc9a32d7f3cf4b7b81f8e7686cae05ae4877906206a652d594bd85cb8

SHA512
233b2d3496a9edefc38a1126733495348b9bd77e693182f04cdb2282a42c7a21e5275cfa41c90d018fed7a0b7f477f574d40d7521805045113a57acdbab883e7

Download Submit
memory/2976-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing