urelas | 3044e0deeb3ff89daaad87edce4001b8e0e8ee109cb7705ff72f7aa9689531ec

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Size

480KB
MD5

3eb3656602d5d81d942815125c8144b6
SHA1

8cee9e4db8c9bae715ba86e1c03bded7802d91aa
SHA256

3044e0deeb3ff89daaad87edce4001b8e0e8ee109cb7705ff72f7aa9689531ec
SHA512

02e3ea2e489f79c357bd02172e3f9a8db3c865a4e633c92a1b14e6a9884e5e3094bc594ef53bb855c1e801e922a796d3db50e1c64fb998b4b1ff1ceeaaf54b49
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVOd:TQRI/3w36EnCYcFE/iydJai/WZtW

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	zyary.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	zyary.exe
4376	cafue.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000024071-20.dat	upx
behavioral1/memory/4376-24-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/4376-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyary.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cafue.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe
4376	cafue.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2844	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 1284 wrote to memory of 2844	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 1284 wrote to memory of 2844	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	92
PID 1284 wrote to memory of 3196	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	93
PID 1284 wrote to memory of 3196	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	93
PID 1284 wrote to memory of 3196	1284	2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe	93
PID 2844 wrote to memory of 4376	2844	zyary.exe	111
PID 2844 wrote to memory of 4376	2844	zyary.exe	111
PID 2844 wrote to memory of 4376	2844	zyary.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_3eb3656602d5d81d942815125c8144b6_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\zyary.exe
  "C:\Users\Admin\AppData\Local\Temp\zyary.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\cafue.exe
    "C:\Users\Admin\AppData\Local\Temp\cafue.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
81b553aedb5a852004c9a52229a5bded

SHA1
ad43ecf92ec9f62b36b2cd779ff0aa50e010f23f

SHA256
5b3cc7a6a44a4e7d41d26b8f065db82113bcef65457195876c32d4cd3f23bc93

SHA512
afdce9486bad4ed64e056f6e9d80e20718e43ffa9a326434833d74dbd67735d313477c3f2434cf34c05783a61fa38e5f8fe0030ceb60207374ba75aca0a956ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cafue.exe

Filesize
209KB

MD5
609d0d66702de15e39a719751aed1215

SHA1
92b484c42f402ef1b6e62d9df28bcae6f66cf514

SHA256
130438564dcd50d6bb447ddc2089df7f8c92426576aa22080f54c405ffacce40

SHA512
c3f14a258123ec840ea316e2c150021ee67172aadc41f967a91627487418d674fc0ac37f45666d2a0eef824023760da4bacc154041782b2ba37f794ff7dd5bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1b70e2c4774ab3e0446b12fb0962b941

SHA1
45271ceb6f848550f008891246451f60da559e12

SHA256
f86cf7a334022b7e3277de4327a672bdb2762d6bd8094b41aeefeb98d813ce14

SHA512
d13161c98687b51da4de038d633d523f9813d659a45ca70a86e80b342cd50b97072c748c86a58884dba02b027cc5b3d524535a41fc12c2e43203d157d44b609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyary.exe

Filesize
480KB

MD5
45ce412aa606e4029f7465fbcd44af3d

SHA1
ad6835c9ec3f83eadc8daa8d133ce731b8eda1dd

SHA256
4963d34e9450b3494992d51b2afbaa2c600b35468f945c4877fdc2ce5ea55213

SHA512
fd23c204d824124691b048beb70736d11ba4a03d8d9bfcafd7ca68de6c0b8df70f6fc3e76ed04b3f6865c4d65fd2d5a716d45dc92e7857ab2c3be09175eb6e56

Download Submit
memory/1284-0-0x0000000000540000-0x00000000005BF000-memory.dmp

Filesize
508KB

Download
memory/2844-12-0x0000000000150000-0x00000000001CF000-memory.dmp

Filesize
508KB

Download
memory/4376-24-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4376-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download