urelas | 5ac7650d06fd290169289894fa62f4abe42af28dacbbb1cffc7186a6d8ebf3ff

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe
Size

581KB
MD5

f720a47c5b7b68b82359c3c25e297ff1
SHA1

06773ed55aa5d5c3519ffb809ceab5c337992d75
SHA256

5ac7650d06fd290169289894fa62f4abe42af28dacbbb1cffc7186a6d8ebf3ff
SHA512

cb7ca7074b9c57d03dae6c2aa08ffe45ebc11459346a6044929dd027454eb502af42e44ad48e48edac057d3ad6d4265241c6089935808c67347406b7ebaa863f
SSDEEP

6144:JajY1oC+/U8Vjlx4kk9HKda4L38c8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQwo:fOlx4kk9HKda4YJoSiQi4kVdcQzjkB

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ikfym.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	ikfym.exe
1568	ecxol.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4204-0-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/files/0x000600000001e454-6.dat	upx
behavioral1/memory/4404-12-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/4204-14-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/4404-17-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/4404-27-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikfym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe
1568	ecxol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1568	ecxol.exe
Token: SeIncBasePriorityPrivilege	1568	ecxol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4404	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	90
PID 4204 wrote to memory of 4404	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	90
PID 4204 wrote to memory of 4404	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	90
PID 4204 wrote to memory of 3540	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	91
PID 4204 wrote to memory of 3540	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	91
PID 4204 wrote to memory of 3540	4204	2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe	91
PID 4404 wrote to memory of 1568	4404	ikfym.exe	109
PID 4404 wrote to memory of 1568	4404	ikfym.exe	109
PID 4404 wrote to memory of 1568	4404	ikfym.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_f720a47c5b7b68b82359c3c25e297ff1_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\ikfym.exe
  "C:\Users\Admin\AppData\Local\Temp\ikfym.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\ecxol.exe
    "C:\Users\Admin\AppData\Local\Temp\ecxol.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
3315b403b1b1a0bc0a4eed155f278a20

SHA1
7445762cc8ce369d62aab132b39f1f40d8063c4b

SHA256
f0aab3341caea89d34ecb8308228532cb5a729fcb1fccc020d46f8eca2a65776

SHA512
7246ca8a08202afd532426418117fa16f5c94dba53fce2223d1eae43e8d9d559b33e552cbb496dcd4cb191bfbbd81ecf5a3f9060a1fdcd296c6cf9451946b1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecxol.exe

Filesize
201KB

MD5
5641111b80e52343da63b26a210a946b

SHA1
b4f3816291708052b0c4c0dff78208bfc6b20e06

SHA256
2958d5d5841e864246a3b005549ccf72aa2094144fc4d29a8e2cf2f178e6ddeb

SHA512
484f1f77ac6d3047f892ee2a9e134013c0718d59ac2ffadc1f2983b2d0f58f0fa5f19a976fb8b7477165d709bbcc4b7f47717212c014f2c6fd8b2f96493a9691

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8cbd9057411ab56d850d7bf3ef533ff0

SHA1
cf4a718a3760334637e1e73ae261ce272ab00988

SHA256
bb209da410261b74ee533fa91123b2723b87879cc15f2ac42702727e1ebfdb12

SHA512
73a053612e28f3215ef9680e0548d34e5375979d94250bcf84f4f1f518f37196ec21efa5fda27ca603428133e41b5283a56c2ff4edcc340ad827f412ddff56bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikfym.exe

Filesize
581KB

MD5
f64a3daa5fe5c148c1af81a89e07dd9a

SHA1
c0f6f6b379d7f283d43cd20e1a2a008350c5427b

SHA256
ead6e30e219ed34e31b0ce3df3964901066d9f47132abd4a6b4c89ad8dc71925

SHA512
f1881730d42a3d120b4fe2c7eac98f2ed0fb7f102320c0a7a4175e4c45ed5506f975def8733d50eaef8758bb099ea8a4865e0b1065f3832b7cf553278cf64040

Download Submit
memory/1568-25-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-28-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1568-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4204-14-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/4204-0-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/4404-17-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/4404-12-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/4404-27-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download