urelas | 3044e0deeb3ff89daaad87edce4001b8e0e8ee109cb7705ff72f7aa9689531ec

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Size

480KB
MD5

3eb3656602d5d81d942815125c8144b6
SHA1

8cee9e4db8c9bae715ba86e1c03bded7802d91aa
SHA256

3044e0deeb3ff89daaad87edce4001b8e0e8ee109cb7705ff72f7aa9689531ec
SHA512

02e3ea2e489f79c357bd02172e3f9a8db3c865a4e633c92a1b14e6a9884e5e3094bc594ef53bb855c1e801e922a796d3db50e1c64fb998b4b1ff1ceeaaf54b49
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVOd:TQRI/3w36EnCYcFE/iydJai/WZtW

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	qycie.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	qycie.exe
2828	wiiso.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000241c1-20.dat	upx
behavioral1/memory/2828-24-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2828-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qycie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiiso.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe
2828	wiiso.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4872	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	91
PID 1412 wrote to memory of 4872	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	91
PID 1412 wrote to memory of 4872	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	91
PID 1412 wrote to memory of 4912	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 1412 wrote to memory of 4912	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 1412 wrote to memory of 4912	1412	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 4872 wrote to memory of 2828	4872	qycie.exe	108
PID 4872 wrote to memory of 2828	4872	qycie.exe	108
PID 4872 wrote to memory of 2828	4872	qycie.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\qycie.exe
  "C:\Users\Admin\AppData\Local\Temp\qycie.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\wiiso.exe
    "C:\Users\Admin\AppData\Local\Temp\wiiso.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
81b553aedb5a852004c9a52229a5bded

SHA1
ad43ecf92ec9f62b36b2cd779ff0aa50e010f23f

SHA256
5b3cc7a6a44a4e7d41d26b8f065db82113bcef65457195876c32d4cd3f23bc93

SHA512
afdce9486bad4ed64e056f6e9d80e20718e43ffa9a326434833d74dbd67735d313477c3f2434cf34c05783a61fa38e5f8fe0030ceb60207374ba75aca0a956ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f59d4618a91cbfc10aaa2b7b3bd791f

SHA1
6a5700d51b46bd85d82d2e3bcc4d54bf19c57f2d

SHA256
114612e6e2a079461ef203c66c38014769b1458798df45a77d7fcb83334c19e2

SHA512
746235f956bd0c3add035d8e07b22c8042f5d960ee8ae53be6ac6302fa8c29d09b5a9c7f1ec2ea4f5d4ef85b8ab60ba07143c35e2684d4733b0285b8f473c65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qycie.exe

Filesize
480KB

MD5
778cc6ac1d073419763153e2e65924c4

SHA1
ed1fc5d62d9afa45ca299ccacbf7ece9599b937b

SHA256
8e403828373e50f9391876664debe2f3b72cba11e8183ff47dd0b120bd21f2a3

SHA512
2ea5a0abedefd4659276260211e15108c1c2706c53802079e78f4b96dd34230e1f05f06765381b622c213aeeac78a06b62b6b37794fbcec326c9e4c7f7b2e498

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiiso.exe

Filesize
209KB

MD5
1de8caf5565c0f2801c075570eab9acd

SHA1
7801b127dfb92e6a33cf5d9bdc4b992dcad714a1

SHA256
c5cfa000c49f6c02713707d9083f5be8ca9cd8964f521e3bae959b5f09e0b0c3

SHA512
ccf6a48d32513b8d510f1d8073f2c4859661f8c72fabf5f6feca74edc91860a52cef4a1782ebfd05f43065f9e4337b2b52a62758a9cb7e44bb219dd8b1c46275

Download Submit
memory/1412-0-0x0000000000CC0000-0x0000000000D3F000-memory.dmp

Filesize
508KB

Download
memory/2828-24-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2828-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4872-11-0x0000000000D10000-0x0000000000D8F000-memory.dmp

Filesize
508KB

Download