urelas | ce5e8a06c7a1e5aacdd3320e4173de3a285fb08528f546faafa04ec04eba0935

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

516598a9c83de539746a363897f299e2
SHA1

eb991959380a779f56d05e63a4cc6131ab955209
SHA256

ce5e8a06c7a1e5aacdd3320e4173de3a285fb08528f546faafa04ec04eba0935
SHA512

34ecad7df366199293b89ba078934417709f107534339b6805f54bb9c171158c8fe1c4e16607982fc30300865bb8efaefb4a087523b594df5f20b6622b41459b
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohr:8IfBoDWoyFblU6hAJQnOR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	igdue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	uljoeq.exe

Executes dropped EXE 3 IoCs

pid	Process
3644	igdue.exe
6040	uljoeq.exe
5744	epkub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igdue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uljoeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epkub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe
5744	epkub.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3644	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	85
PID 2244 wrote to memory of 3644	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	85
PID 2244 wrote to memory of 3644	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	85
PID 2244 wrote to memory of 3188	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	86
PID 2244 wrote to memory of 3188	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	86
PID 2244 wrote to memory of 3188	2244	2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe	86
PID 3644 wrote to memory of 6040	3644	igdue.exe	88
PID 3644 wrote to memory of 6040	3644	igdue.exe	88
PID 3644 wrote to memory of 6040	3644	igdue.exe	88
PID 6040 wrote to memory of 5744	6040	uljoeq.exe	110
PID 6040 wrote to memory of 5744	6040	uljoeq.exe	110
PID 6040 wrote to memory of 5744	6040	uljoeq.exe	110
PID 6040 wrote to memory of 220	6040	uljoeq.exe	111
PID 6040 wrote to memory of 220	6040	uljoeq.exe	111
PID 6040 wrote to memory of 220	6040	uljoeq.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_516598a9c83de539746a363897f299e2_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\igdue.exe
  "C:\Users\Admin\AppData\Local\Temp\igdue.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\uljoeq.exe
    "C:\Users\Admin\AppData\Local\Temp\uljoeq.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6040
  - - C:\Users\Admin\AppData\Local\Temp\epkub.exe
      "C:\Users\Admin\AppData\Local\Temp\epkub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
aa08bf31281dbc1c1317e5a77feb5a26

SHA1
a34fabf741056cbd8b6154da088ee8f3e4b3dacf

SHA256
7492e10edc7fa6d8d4fa1332604bfc9553138d5ff416fefede5679aa8b3bb2a6

SHA512
34bb344c16595c6dc1296cce60c19a8a8e0c9d5de700cd0775a1fed2b34318a85df5fa07fb271f7fab56356aa6288873213106e7c89d360d63405b688eeee552

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0300d1be2d3d8f9f4208f24b0d0292e8

SHA1
00e265f53537ac39e6e12d21e90cc24116e37fc1

SHA256
4f7f6c58b12821eee3ee94aff1fd78c2cb44a5fca8fe65681d41749d881c6382

SHA512
e05d9c659b9707ce2d9db3455a29048e04d92b8b080e52b5f14c175d4806409d345dc7b179a3b1fe2eacbc17165ed9dc7a593960351d6baa3e383c99d08017d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\epkub.exe

Filesize
223KB

MD5
a2216fe0eca1b9e005a03fbb8e5f61c0

SHA1
87a737a373646a9aef96cc1d318bc732923a263c

SHA256
5e3a0611dc6938d3437cb7396a0569488a8a99673009500cc59ec5838f8a683b

SHA512
891801093ababc393d524b9356f6b57ef63fa277521c27ec3e744262a929e2f672c129f3648f94869f474e5a8e75fcf71088e7aae27128055694668363ac51aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a574864b3479f710ba859bb8df8e2880

SHA1
c44edcc8aa629ffaa5ba6d38e037f626175a897b

SHA256
fe956e02821c772526fd4c8b91f702ba0160c3eb137e24dd9a949ba79ac95bcc

SHA512
f8fa5345f2702c4499f5460c706a531822a903a71a719ae1f1dc3d930640c3e2d46ca2784fc4567cb3c2c4340e1dfb72b255fee05efda452fb49ebd83b75c38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\igdue.exe

Filesize
400KB

MD5
0d52d5571b933c77d4eb16e8cab04f68

SHA1
418291e20df763aa88db002a0ed2d601205d9427

SHA256
25635805962c45d22fb895d43ef84b6d65fc11ad37b42d93b2d201dcf4d1081f

SHA512
98bf4537967ce02d640a9f1349fc0fd9190ce1faf186ad3773d578954a510307dac2ae2e37cf12299b6c18dea686b7c6ce4f51d6bbfb4f4936bec140dc6d95c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uljoeq.exe

Filesize
400KB

MD5
854524cf16bfce8f98d3401587b857d6

SHA1
1f7ad9f02c459b9b3483103a04d71414104b9fb4

SHA256
df92922e1d8be03964a42cffca1fa9d87bde48da98aa8aa0486fefe723f1e4da

SHA512
4a4b22bcf398fef15734b94e272d10fc2646bb54baddb61ce95cf8050c3177337a8ef1a56c1ae4199697979e91987e596bc47b18e6e806669383aeba4b304a01

Download Submit
memory/2244-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2244-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3644-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5744-34-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/5744-41-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/5744-42-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/5744-43-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/5744-44-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/5744-45-0x00000000004E0000-0x0000000000580000-memory.dmp

Filesize
640KB

Download
memory/6040-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/6040-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download