urelas | 5545361e116b880f0566820348884d476d1a49b7f3252f1ea3809cdf1507ac43

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

2e9a9f1c407015f74526495af68dc7af
SHA1

482532090dbf3f7d3afe1c629f15819788ac650b
SHA256

5545361e116b880f0566820348884d476d1a49b7f3252f1ea3809cdf1507ac43
SHA512

a4e96f7c3033f703b23a6a5dd5f57f04a4222d5b6d1ed964a0c0b456b15c3ad44d3466d62fa472c89d44518cff4222ffd74189f924dbc89e56d2fddc14a5a8c0
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnOA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	myopj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	letymu.exe

Executes dropped EXE 3 IoCs

pid	Process
2692	myopj.exe
396	letymu.exe
2456	sigya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myopj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letymu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sigya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe
2456	sigya.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2692	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	86
PID 5084 wrote to memory of 2692	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	86
PID 5084 wrote to memory of 2692	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	86
PID 5084 wrote to memory of 5792	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	87
PID 5084 wrote to memory of 5792	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	87
PID 5084 wrote to memory of 5792	5084	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	87
PID 2692 wrote to memory of 396	2692	myopj.exe	89
PID 2692 wrote to memory of 396	2692	myopj.exe	89
PID 2692 wrote to memory of 396	2692	myopj.exe	89
PID 396 wrote to memory of 2456	396	letymu.exe	109
PID 396 wrote to memory of 2456	396	letymu.exe	109
PID 396 wrote to memory of 2456	396	letymu.exe	109
PID 396 wrote to memory of 4392	396	letymu.exe	110
PID 396 wrote to memory of 4392	396	letymu.exe	110
PID 396 wrote to memory of 4392	396	letymu.exe	110

C:\Users\Admin\AppData\Local\Temp\2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\myopj.exe
  "C:\Users\Admin\AppData\Local\Temp\myopj.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\letymu.exe
    "C:\Users\Admin\AppData\Local\Temp\letymu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\sigya.exe
      "C:\Users\Admin\AppData\Local\Temp\sigya.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
d9cdf5874b2adbe8ed02f9d39788f543

SHA1
729aa6282f85f5e0dfcde0438715f29f20c29bc2

SHA256
9c1a50266469a81283e2f378d51f944c437147746a375863c3dc1619d79a2c53

SHA512
bd3ec95ae9e3e9d6acd763b45757a5a759345b09da71c5e6537b1c7f7558baacd368f98514017a71da2249d0425cef7e53058798a54052c0abc730668f0e8bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
047778fc398712695f8219e37d7876c6

SHA1
200f7ad75897cc0a2a0d1789c9a6bfbcc4e9501d

SHA256
57400931f51409f063c90593fd3cbb25417a9df523adc2447c29f48f4dd5475c

SHA512
7e4f18f8ef57619f45f60502f7c3d372543567ea1a2ace752d1e9398cbf6de43d940bd2ce57ad594305f3cb43498a1bc1b25dfd8c6f1abc03511ec30c8c0d1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7f75804824ab3ca1432821a81298c3a9

SHA1
10a77a1ba6e9c89d46421fc7ef92faf6ae128085

SHA256
e26ca9b5083b3c330a037efbdbcc9e5d17a6f28f80e5373aa5b9f17ecc5f8e16

SHA512
dce353da6d62137eb9cbe9ea0c405d056bb3d5acb471dd37a7042083c3068bfd76862071fdbcc83e2671bf1f292dfb083809773646ae3e827a22ca33094cb160

Download Submit
C:\Users\Admin\AppData\Local\Temp\letymu.exe

Filesize
400KB

MD5
56d8ccd839a803bf2719be4b53f9494f

SHA1
4ffde0a50fdce7028f1fcc23d36d6d82cf76c65a

SHA256
7d41ab3d383b2d13cf9d0214e832c03bb98da57c5b4bcbcb174be6b682d1b9fc

SHA512
88402d7a45c09c52ade2d7ca5c67f5ae0d4d822c60a94c61b08620256e3ac2045030ef119a9a30d5657c6865ae91677275bdb3be2b03dcea529b6d8a4fdb0d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\myopj.exe

Filesize
400KB

MD5
f2b3626bf3aec3b2ea64965a763e8e4b

SHA1
66762e844a5c81539ac845561ead13d5662f0c46

SHA256
53e7ac417a1be5413700b35a1272da675380a3a1cb331a88c4c3bb009b515b36

SHA512
7351780584727ecec61d25e3c9a9f11d3ddeb361ef3c1fac5fd3aa24c3247ec2faef8cabf02cc1cda8ddd20ba267bf9b7b8e2abc011aadb7777897a91eb3e09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sigya.exe

Filesize
223KB

MD5
9e050fdf08322b7779c473495b343a24

SHA1
c2d92e92aa6482c05c06381ce879a49609cfc83f

SHA256
d85db60704a1b2e34e4e8daec4b3cdc80251a24a45bfd18954258cae4d81eaae

SHA512
540f29d483680d003f3460e728461f8fa9cb99b53d6dd12c4a591cfee91fcf758b148fca77a1aba0830e6e164f89344129ff6d7cb0236b4a0d20005640c47728

Download Submit
memory/396-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/396-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2456-36-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2456-41-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2456-42-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2456-43-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2456-44-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2456-45-0x00000000002E0000-0x0000000000380000-memory.dmp

Filesize
640KB

Download
memory/2692-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5084-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5084-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download