Overview

overview

10

Static

static

10

2025-04-02...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe

  • Size

    400KB

  • MD5

    516598a9c83de539746a363897f299e2

  • SHA1

    eb991959380a779f56d05e63a4cc6131ab955209

  • SHA256

    ce5e8a06c7a1e5aacdd3320e4173de3a285fb08528f546faafa04ec04eba0935

  • SHA512

    34ecad7df366199293b89ba078934417709f107534339b6805f54bb9c171158c8fe1c4e16607982fc30300865bb8efaefb4a087523b594df5f20b6622b41459b

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohr:8IfBoDWoyFblU6hAJQnOR

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:6092
    • C:\Users\Admin\AppData\Local\Temp\ybyxi.exe
      "C:\Users\Admin\AppData\Local\Temp\ybyxi.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\huvuca.exe
        "C:\Users\Admin\AppData\Local\Temp\huvuca.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5536
        • C:\Users\Admin\AppData\Local\Temp\egehi.exe
          "C:\Users\Admin\AppData\Local\Temp\egehi.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3636
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    aa08bf31281dbc1c1317e5a77feb5a26

    SHA1

    a34fabf741056cbd8b6154da088ee8f3e4b3dacf

    SHA256

    7492e10edc7fa6d8d4fa1332604bfc9553138d5ff416fefede5679aa8b3bb2a6

    SHA512

    34bb344c16595c6dc1296cce60c19a8a8e0c9d5de700cd0775a1fed2b34318a85df5fa07fb271f7fab56356aa6288873213106e7c89d360d63405b688eeee552

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    dbc94ba587d3e5458ffce664bf5e5cf4

    SHA1

    8e43fc99bca0323ea22cc0f8e3da36bb770c2136

    SHA256

    4d639268221a7475831adccd02c16b812f9211dc2361823bffeb352e4b0e4cd3

    SHA512

    08356dbd93033c07e900fd78b81dd2f574dc136034adcfc3e7ce5e91543c2b95aa6410cda28789a5f623cf87f882ca3aed77377b05ed37d6b2ab852d94b393b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\egehi.exe
    Filesize

    223KB

    MD5

    38df936703cbc1342143e52868ebbfd0

    SHA1

    14bcda84572428f79fe7040175a369ae78e39b82

    SHA256

    ab9ddf5d62e62ed6134d0e9714dd8007a628e7c2f53723b518543e3c05f73b50

    SHA512

    a079d26fdb147422350afad9a1a60777b19d806b3bd43fa910fb2b9e79d0ec02badb1b9ba08083c761033c035dc4814427de2c10acab753da7f720dcc7f9eb2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    37c430d574fab72fc73870853d1bbfa1

    SHA1

    723c89d3e90d0db002fa0eed79660f30ecf3522b

    SHA256

    b7c4c7848ec78aa9f60ebeb90b617daba10f8bfb41e9c41d36f4b5f1ab428f58

    SHA512

    e37f34f2505b81d843b96fb7ce09a0d7dde74012ef692ea5525793fe3724d3fc46d2778eb4cf15162b9c5f5ee7fd06dfe0ed103b1e5d7c41fa574a325e770bac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huvuca.exe
    Filesize

    400KB

    MD5

    6382e795e2721d5e68e104911ad8a1b4

    SHA1

    97d5d6c5f8680a1b2d17b85fa817608608bb9be3

    SHA256

    562d4ca745dc99335e632491386945daf921326f45bf6b7b582c39cd4a1d7fbd

    SHA512

    f0a5fc31e5cb9200a436390bded85799d9f03a7de584e5f98cd39c167aa32d442203459abc3767d5824a861ac8ec5f3e57ef5e05e31f48b2bd96f329ca4b2f81

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ybyxi.exe
    Filesize

    400KB

    MD5

    7780fabf2fb93550962db99847224858

    SHA1

    29b730e9d2d44d2377c62c3188ab30698751243d

    SHA256

    53e386ad098c679f40cc46488a85277663554b0ff2a4fcbb07ab04dd0928ae35

    SHA512

    9f11adf9a09c703788426f894d03495f078b7b95d36acfa5ba6d82879ce003d5cc9fc29d8d484cb45b59f60cfeba9803287ac1e8fb8e360f487f343c897a25f1

    Download Submit

  • memory/976-47-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/976-43-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/976-46-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/976-45-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/976-37-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/976-44-0x0000000000950000-0x00000000009F0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4300-26-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/4300-11-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/5536-41-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/5536-27-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/5536-24-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/6092-0-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download

  • memory/6092-16-0x0000000000400000-0x00000000004679C5-memory.dmp

    Filesize

    414KB

    Download