urelas | 99b0e6c557256717472ab8b99a91e7f819c1f4cc77f165566985c694a86dd1d2

General

Target

aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
Size

329KB
MD5

aeab4161e9560703eacffcf0b2eb4ff0
SHA1

ee1b406cbd6669467c3a999bae34e7a262ec6b27
SHA256

99b0e6c557256717472ab8b99a91e7f819c1f4cc77f165566985c694a86dd1d2
SHA512

2dd53a07f71dc97c9bb4dd8c701be0648ed66e067d35ddbd0f073504b8171bd4277e8ab4a761654840d6d002e8fad8614c89c12a46a8b40118ba864cce84a897
SSDEEP

6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpSRFe:PkXpd6jqiOIHZAj3e

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2672 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

fuhoh.exejufyxu.exegusur.exe

pid process

1756 fuhoh.exe
2596 jufyxu.exe
2716 gusur.exe
Loads dropped DLL 3 IoCs

Processes:

aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exefuhoh.exejufyxu.exe

pid process

2220 aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
1756 fuhoh.exe
2596 jufyxu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2672	cmd.exe

pid	process
1756	fuhoh.exe
2596	jufyxu.exe
2716	gusur.exe

pid	process
2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
1756	fuhoh.exe
2596	jufyxu.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

gusur.exe

pid	process
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe
2716	gusur.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exefuhoh.exejufyxu.exe

description	pid	process	target process
PID 2220 wrote to memory of 1756	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	fuhoh.exe
PID 2220 wrote to memory of 1756	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	fuhoh.exe
PID 2220 wrote to memory of 1756	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	fuhoh.exe
PID 2220 wrote to memory of 1756	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	fuhoh.exe
PID 2220 wrote to memory of 2672	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 2220 wrote to memory of 2672	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 2220 wrote to memory of 2672	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 2220 wrote to memory of 2672	2220	aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe	cmd.exe
PID 1756 wrote to memory of 2596	1756	fuhoh.exe	jufyxu.exe
PID 1756 wrote to memory of 2596	1756	fuhoh.exe	jufyxu.exe
PID 1756 wrote to memory of 2596	1756	fuhoh.exe	jufyxu.exe
PID 1756 wrote to memory of 2596	1756	fuhoh.exe	jufyxu.exe
PID 2596 wrote to memory of 2716	2596	jufyxu.exe	gusur.exe
PID 2596 wrote to memory of 2716	2596	jufyxu.exe	gusur.exe
PID 2596 wrote to memory of 2716	2596	jufyxu.exe	gusur.exe
PID 2596 wrote to memory of 2716	2596	jufyxu.exe	gusur.exe
PID 2596 wrote to memory of 1576	2596	jufyxu.exe	cmd.exe
PID 2596 wrote to memory of 1576	2596	jufyxu.exe	cmd.exe
PID 2596 wrote to memory of 1576	2596	jufyxu.exe	cmd.exe
PID 2596 wrote to memory of 1576	2596	jufyxu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aeab4161e9560703eacffcf0b2eb4ff0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\fuhoh.exe
  "C:\Users\Admin\AppData\Local\Temp\fuhoh.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\jufyxu.exe
    "C:\Users\Admin\AppData\Local\Temp\jufyxu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\gusur.exe
      "C:\Users\Admin\AppData\Local\Temp\gusur.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0b6a4c551ac3cdfba6fc92e992548170

SHA1
b3f6cef21697ca33c17b1052742896234b5f6a82

SHA256
8e294438fc1f92a0d4a59d18675ce06c44ddf7a4bb58dd0c50c82dd5e42360af

SHA512
15718fa365c1095d1cf73656c1ed9c90676da422b736c3249c4d1165669b6ec3a8190e85ab1b741bc0ae8ef84d36d288f43b249c63bf3b519f58dd398a267a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
306B

MD5
bc327c5350c2a174333677e1682c8e53

SHA1
5cc21084f5c3fca50f06fbfd270bce475dce7345

SHA256
c82a23978e527e17336b3f6763b499608a74de4e5ed79464f0a3a57e80585f53

SHA512
4ad5d1bed2fc87aee6b0c979ab18dfb5c6db54d8d4caf47725c96d658dc41d7fed868aae15aa71fb1243fa74b8d3f872db39207ab96040b2b698eb56e91ab74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
868b664a828b2d968edcdcd3afd9d324

SHA1
c380a6fd698dd89f3385e8c006547e0da2dad312

SHA256
47983ff51af8b248fd1096c720f3d8f6865114be897c7cee752dcd0acde41968

SHA512
6f9f31427fde9a5de0b0a06cd06627d22bda5ea24a5399a8ede74556cec9a4341062223fac31097e09a74f1f60c7b24d675d948a5ee3984dc49903cfe6220db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jufyxu.exe

Filesize
329KB

MD5
7668699c43cd25f64e35aba71b774ee9

SHA1
a566e0c80b057ae17c9d9e6ed3700bb52356eb88

SHA256
80d56412dbdc1864d14c442b8f69f74ad95ecb29ed8f05bf6c2b1df0164c8c39

SHA512
5f72c69b68db5b1b353cb9c92af038b17ed12d34f99929f3dd9095f13077547bcdd7079eb0004ed590af9abd1ffbd4291a5b5c82a00050888eb014fddf6d54a7

Download Submit
\Users\Admin\AppData\Local\Temp\fuhoh.exe

Filesize
329KB

MD5
75959f2c88f6a0c0c696791c971f553d

SHA1
a32c59c89b8c3395faed565cfaa9ccd63c7881c8

SHA256
16f6f12c4890bfb1a786730a441424a55a60b1c36975262f49cc465a32306e83

SHA512
123826a6a754949289dbd6061cf1b09041df2a16ad021c7b7b6d3b9948b5b639a25b29f87d788685d457885afd4554a6aced75033e4b11fe82e99172c1da2354

Download Submit
\Users\Admin\AppData\Local\Temp\gusur.exe

Filesize
223KB

MD5
e6d993a2ee178f5adfe1dbbce059c57e

SHA1
c3cadee307a728594a8fc3c2b12629c5d91f9d6c

SHA256
3f374cf72b082f3425fbe4a9042126cc4dbe4bca1253c1ce964250404fd53cca

SHA512
1e261c2dbbd01554e64c73fd652957e0c9e6f53ea7a3a1fdafc6044d067b8337c3d207a8ca03de86eb1bc69189934248b0c6bde4894319eb9187a77f1bbb0090

Download Submit
memory/1756-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1756-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2220-4-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2220-25-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2220-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2220-26-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2220-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2220-5-0x0000000000401000-0x0000000000460000-memory.dmp

Filesize
380KB

Download
memory/2220-1-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-34-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-43-0x0000000003BA0000-0x0000000003C40000-memory.dmp

Filesize
640KB

Download
memory/2596-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2716-45-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2716-57-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2716-58-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2716-59-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2716-60-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2716-61-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing