urelas | 1734de5eeeb1055302746928ce656ee18b2411dd67bc9d70ecd397fc37f04dea

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Size

516KB
MD5

acd1392095f4b6997b19f8d855163f3b
SHA1

d226ef6102a3aa87ff0df5ba38ee9ec11701e965
SHA256

1734de5eeeb1055302746928ce656ee18b2411dd67bc9d70ecd397fc37f04dea
SHA512

a63929c548b9e21b96950ea37d999df37377151d239b310d410f686a6e7e46c0ce24feae8415db19ae832a0cabbb5fd5f90ee95847513aae59f0023b7e2dc3c6
SSDEEP

12288:1pbfVlu0agWfZlnxgmEpZGsrUs99uDEq5EGDFhI:1pbGRZxSfGCUs99hq5Jg

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	buxyu.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	buxyu.exe
5860	xapoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buxyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xapoj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe
5860	xapoj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4552	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 4224 wrote to memory of 4552	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 4224 wrote to memory of 4552	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	91
PID 4224 wrote to memory of 4692	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	93
PID 4224 wrote to memory of 4692	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	93
PID 4224 wrote to memory of 4692	4224	2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe	93
PID 4552 wrote to memory of 5860	4552	buxyu.exe	112
PID 4552 wrote to memory of 5860	4552	buxyu.exe	112
PID 4552 wrote to memory of 5860	4552	buxyu.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_acd1392095f4b6997b19f8d855163f3b_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\buxyu.exe
  "C:\Users\Admin\AppData\Local\Temp\buxyu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\xapoj.exe
    "C:\Users\Admin\AppData\Local\Temp\xapoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
aa6be6836dcc155c611f2f111c7be039

SHA1
d3c17487b81fae3002dceb5aa8e1abefb4b2661e

SHA256
b3a2c612f112c69e158cb5e3f18edba4aaf0745c129ca0e06c94c1fd9c39c1d7

SHA512
bf0b8e0bbfef7183b924246bba29f3eee91ab41a95543bf416ece42b7220882d67855596cd73114b19d6891edd929a2caec36f4ff5198f7ded52c4aefbd20fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\buxyu.exe

Filesize
516KB

MD5
64735856ad63c9820a6161886370eace

SHA1
815e8fac7bc2f0a44453a7d83326d46b806034ff

SHA256
05c4a24da618ef218312ac520d553a253b6b98a4449f047d4702a1c4d86526f9

SHA512
dd74427c451e05f0de81832d58a662eae3b2469d29c1aab7e7c37e1581ac4b69d97374a8a42198fc92731b34c030326f3a9ba812ccbc5ebc77299fdcf912204c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d7e67c8a41b87cfc680812f0295394a0

SHA1
17c49d8cc5efab30f46bd7557f28e0767dc44b28

SHA256
cd999983ef633f1795c7c1cd6ad942b0df44743e74b742debf1a71ef2649a74a

SHA512
763a6c2df04e09b61adca96c36b9b620940ad0b33946e750e5d76bf18ce2ec9fce5ea20efb51aaa7f9c35ff1790fd133098d514143d1d386875f2558ec54d2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xapoj.exe

Filesize
178KB

MD5
3f2a5c15425a0cc2b34ab74a66d80cac

SHA1
4d9d51e512ba814acb71cb40a4b0fd26224841f5

SHA256
8e1d7f89ea82baf5c1c8e173dbc14e403fbaa16e3dba4c222172b21998aa8e0d

SHA512
123e780e82d5129725752e3d011c8973342707ab3d5cbdbaa80ff09146bd9a2a92c07e1b4ce8fd60425d54f92f36dfe4d976b20ace4ac9214c72c73394be64dc

Download Submit
memory/4224-13-0x00000000003F0000-0x0000000000476000-memory.dmp

Filesize
536KB

Download
memory/4224-0-0x00000000003F0000-0x0000000000476000-memory.dmp

Filesize
536KB

Download
memory/4552-27-0x0000000000760000-0x00000000007E6000-memory.dmp

Filesize
536KB

Download
memory/4552-10-0x0000000000760000-0x00000000007E6000-memory.dmp

Filesize
536KB

Download
memory/4552-17-0x0000000000760000-0x00000000007E6000-memory.dmp

Filesize
536KB

Download
memory/5860-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5860-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download