urelas | 1734de5eeeb1055302746928ce656ee18b2411dd67bc9d70ecd397fc37f04dea

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Size

516KB
MD5

acd1392095f4b6997b19f8d855163f3b
SHA1

d226ef6102a3aa87ff0df5ba38ee9ec11701e965
SHA256

1734de5eeeb1055302746928ce656ee18b2411dd67bc9d70ecd397fc37f04dea
SHA512

a63929c548b9e21b96950ea37d999df37377151d239b310d410f686a6e7e46c0ce24feae8415db19ae832a0cabbb5fd5f90ee95847513aae59f0023b7e2dc3c6
SSDEEP

12288:1pbfVlu0agWfZlnxgmEpZGsrUs99uDEq5EGDFhI:1pbGRZxSfGCUs99hq5Jg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	comed.exe

Executes dropped EXE 2 IoCs

pid	Process
5148	comed.exe
2104	vuvis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuvis.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe
2104	vuvis.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 5148	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 3680 wrote to memory of 5148	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 3680 wrote to memory of 5148	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 3680 wrote to memory of 6108	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	92
PID 3680 wrote to memory of 6108	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	92
PID 3680 wrote to memory of 6108	3680	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	92
PID 5148 wrote to memory of 2104	5148	comed.exe	108
PID 5148 wrote to memory of 2104	5148	comed.exe	108
PID 5148 wrote to memory of 2104	5148	comed.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\comed.exe
  "C:\Users\Admin\AppData\Local\Temp\comed.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\vuvis.exe
    "C:\Users\Admin\AppData\Local\Temp\vuvis.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
aa6be6836dcc155c611f2f111c7be039

SHA1
d3c17487b81fae3002dceb5aa8e1abefb4b2661e

SHA256
b3a2c612f112c69e158cb5e3f18edba4aaf0745c129ca0e06c94c1fd9c39c1d7

SHA512
bf0b8e0bbfef7183b924246bba29f3eee91ab41a95543bf416ece42b7220882d67855596cd73114b19d6891edd929a2caec36f4ff5198f7ded52c4aefbd20fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\comed.exe

Filesize
516KB

MD5
2e5e3c1e25bd2c3e2d51d3dce15970d7

SHA1
7d98550f9363ea0e9868c58c7c1247e5205c4c7b

SHA256
f02492c170b03b75a324ca42002ce16b75d938dcbea5416e71a9146c9b3223f7

SHA512
fc796df80a38202fd54715f187461d8bfe27a679a963c660dab61bc611979d96ff00cd05c7a785333558bf7c97e1c5ccf29d8cd002c1847a28872c5a819cd140

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7a9e1707ad3c827957c47601862c04ac

SHA1
ee4b770b0a37260acafe366118da565d9f403355

SHA256
4c478343d1e48d61fb50fe4fcc60add5edc99832d8f3f47c4af9b9633b2d96ea

SHA512
2a3381587367dea48a204680f7a0e6b196dcfddfe2f83d81b738496100134e146257fa038a46180aa783d2f348f7074c4805b82bf68332c49327215e639ad00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuvis.exe

Filesize
179KB

MD5
d8a85d21975938efe89715c18ac82600

SHA1
7a226fbe77d66d421c5748d9bdb9a4df07c09474

SHA256
24f02586745f98a8fcc9ccddbcda583e5a5cdae833b1e11c91e852aa6051a5b0

SHA512
a5ed53773eaad972a04dd1aa715dbfc869671bb5f2ee64b43fb16da4826ee6c803ccf0e8e0cd978859987d9c3aaab54544d29cac5458422baa261bac6cc12b77

Download Submit
memory/2104-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2104-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3680-13-0x0000000000B10000-0x0000000000B96000-memory.dmp

Filesize
536KB

Download
memory/3680-0-0x0000000000B10000-0x0000000000B96000-memory.dmp

Filesize
536KB

Download
memory/5148-17-0x0000000000E60000-0x0000000000EE6000-memory.dmp

Filesize
536KB

Download
memory/5148-11-0x0000000000E60000-0x0000000000EE6000-memory.dmp

Filesize
536KB

Download
memory/5148-27-0x0000000000E60000-0x0000000000EE6000-memory.dmp

Filesize
536KB

Download