urelas | a87a6c6e30b69b8f5aca4245c356ea5930c8f74a6b574d5292a7b90e88ab03f8

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe
Size

516KB
MD5

a783fd653fe32a9c33079b0a6f2efcca
SHA1

351f8899c2f16c5896a1a32402714fbe688bf945
SHA256

a87a6c6e30b69b8f5aca4245c356ea5930c8f74a6b574d5292a7b90e88ab03f8
SHA512

803c08707d8a6a283fb7136e7bd34e5f0855dcd0aa1c46f89894804f6d19454d81b18b9045524545f748d24bf1cb8677b47ea2693e58b56aba76472b2b78f403
SSDEEP

12288:1pbfVlu0agWfZlnxgmEpZGsrUs99uDEq5EGDFhi:1pbGRZxSfGCUs99hq5J6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	nugyq.exe

Executes dropped EXE 2 IoCs

pid	Process
4548	nugyq.exe
2392	pezyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nugyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pezyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe
2392	pezyo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4548	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	92
PID 4132 wrote to memory of 4548	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	92
PID 4132 wrote to memory of 4548	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	92
PID 4132 wrote to memory of 4424	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	94
PID 4132 wrote to memory of 4424	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	94
PID 4132 wrote to memory of 4424	4132	2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe	94
PID 4548 wrote to memory of 2392	4548	nugyq.exe	115
PID 4548 wrote to memory of 2392	4548	nugyq.exe	115
PID 4548 wrote to memory of 2392	4548	nugyq.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_a783fd653fe32a9c33079b0a6f2efcca_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\nugyq.exe
  "C:\Users\Admin\AppData\Local\Temp\nugyq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\pezyo.exe
    "C:\Users\Admin\AppData\Local\Temp\pezyo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
3891e13eefaee1e1bcd2aa31643847c0

SHA1
2f5daefc45bd073d61a0e4ce7f662afb963f4800

SHA256
d045302bba432acfa4dd096f3c42fc4d5b1d29bd4d32f2d8ba1dada7d0d8f56f

SHA512
9d77aafe87b32493a8ad7ea40244f511c006321906521d657f9511eb3bd5c778473adb0b7d66bd48233e082ebdd61f108ab8bdc7c87d4d2a756912a7a3692675

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3266acc6aaa299322810271b109ce4cd

SHA1
6bb68bdbe872d56d83f8f5450acb4e3fa8882250

SHA256
4edfd011592a48d47af19580ef223bf5c435281dfd8fe7e3c18df9cc3b597cc2

SHA512
a9e83bee92d84af1ffbe241d7b7dbdc87d7eeb5f21cd392c25e569c827748ae2ee52391f1484792796d5c3c58b94ad4ab7a0ba03d75f0f3047a97964e33b3836

Download Submit
C:\Users\Admin\AppData\Local\Temp\nugyq.exe

Filesize
516KB

MD5
34f7d22171b2447ceed2a427df1707ee

SHA1
a125482cc93415443de32e5affc35a39ab371fbe

SHA256
def6378bd57116306bebaf21a23d4d1b2541213366f959d0e276146d1bb82760

SHA512
f35a3e9904b095e15f9b3ba375ee5ab4ef7e6c49620500c1a0ae08ba4d0b983391cb40573029b4c5f002c33fd3a43d54787fefc2293ac2f930f40b51390c0f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\pezyo.exe

Filesize
179KB

MD5
b8989a82caa67dc4b80553809e757d66

SHA1
f67f4f29721ba6cf9cd70b1c794896de7cef3ad5

SHA256
ea94a3df2b5926e485dda294264b1ac43eb5a8c8b5b966a763d3b101b8e905f9

SHA512
a7fb5cee9b072ec24cf91c3693fc838449fa4cd7ac39ab818e8f2a14973e0d51322cec2a9dc7f518cb7eb27ba6c2c1a3032205f80c408f3ead6da9bd4f80d0b3

Download Submit
memory/2392-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2392-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4132-13-0x0000000000B00000-0x0000000000B86000-memory.dmp

Filesize
536KB

Download
memory/4132-0-0x0000000000B00000-0x0000000000B86000-memory.dmp

Filesize
536KB

Download
memory/4548-17-0x0000000000C60000-0x0000000000CE6000-memory.dmp

Filesize
536KB

Download
memory/4548-11-0x0000000000C60000-0x0000000000CE6000-memory.dmp

Filesize
536KB

Download
memory/4548-27-0x0000000000C60000-0x0000000000CE6000-memory.dmp

Filesize
536KB

Download