urelas | eaa2713c9b5488852840a8a93dcd9ab9679dc634e59efbbc4790b11df091afbf

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

a7c6ecf78214e7adce3b18f1f6aa2362
SHA1

da17e06ef1115083a6da487fb1009109f1d41e34
SHA256

eaa2713c9b5488852840a8a93dcd9ab9679dc634e59efbbc4790b11df091afbf
SHA512

96fc9218739120348f81ee6b7672844d8f2074cca3b1e0d16cc761edd8ebceb150b7790d0ce5dd4ce6d0b33c0a2aff2e5d6c1a3fdb0be85e152d8039edbb0077
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohz:8IfBoDWoyFblU6hAJQnON

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	bilyn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wiziti.exe

Executes dropped EXE 3 IoCs

pid	Process
1888	bilyn.exe
1792	wiziti.exe
4328	jogya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bilyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiziti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jogya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe
4328	jogya.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1888	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	88
PID 684 wrote to memory of 1888	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	88
PID 684 wrote to memory of 1888	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	88
PID 684 wrote to memory of 4544	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	89
PID 684 wrote to memory of 4544	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	89
PID 684 wrote to memory of 4544	684	2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe	89
PID 1888 wrote to memory of 1792	1888	bilyn.exe	91
PID 1888 wrote to memory of 1792	1888	bilyn.exe	91
PID 1888 wrote to memory of 1792	1888	bilyn.exe	91
PID 1792 wrote to memory of 4328	1792	wiziti.exe	111
PID 1792 wrote to memory of 4328	1792	wiziti.exe	111
PID 1792 wrote to memory of 4328	1792	wiziti.exe	111
PID 1792 wrote to memory of 3784	1792	wiziti.exe	112
PID 1792 wrote to memory of 3784	1792	wiziti.exe	112
PID 1792 wrote to memory of 3784	1792	wiziti.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_a7c6ecf78214e7adce3b18f1f6aa2362_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\bilyn.exe
  "C:\Users\Admin\AppData\Local\Temp\bilyn.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\wiziti.exe
    "C:\Users\Admin\AppData\Local\Temp\wiziti.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\jogya.exe
      "C:\Users\Admin\AppData\Local\Temp\jogya.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
6268995c788928b120c7b562633db75c

SHA1
e2cf79a1369c3652c70dc9ef79538d236831ba9a

SHA256
4b1f01b57b561f4ec1d04dea775b34722f3f394c22c84657d04ec57b8ea1f4c5

SHA512
e4f3ca063899fca8148233f5e5a0e36034bbd7d2f5744ef6c6437168fb4f3c4361016ede7ebc2d997ba56639b9177431499055622fd3b9c4732604b90cf814b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4bc88c8b2afa021c60edc8179f777c33

SHA1
d51e64d832c55ec9232ec31fe0d9f98e14bfd89e

SHA256
94c684b962d5cdcb354aeb83f73b77a5306d275f95c9f7c5934d9f4d12a50c65

SHA512
3a840073a6415aa3eda110671d14aa728a305615bcbc3c80e33146d35c421760d0377f2e98ceb7892f7cda8c58768b068d50c424f98c2f5b10627f068c004e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bilyn.exe

Filesize
400KB

MD5
b8478026facdc7bbbbf14258e358b0c1

SHA1
d50ebe7526dfd06575e2a972438733c7411a6269

SHA256
ff961c4fd73e26d80f005c6b21a96d1ce4c4506ceb28eeabea26f45f203fbd8b

SHA512
1c074a720b26d1c2212edf9734d7fe353937ff5bf0025e68a12334f77fa6502dabd41598bb76c42aae13d97c8e13429692dfa3caf6cf57128d4288b68c3aef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
81d9ba3edc1c64c73dfb69202b8d3056

SHA1
2cb77d685958d061c099513c747e307e97083d8f

SHA256
2bb0355826577638d6e724ad3e1719d404aa780d82d291988a929104d8bb1ad0

SHA512
cc041b2c7bca432ad5dfe72f2e32668c8b2dd3952eddb8e5db566bed93123ae493edfe8b5f83cd5fe644eec0a53a50134c2b203cc4e9cad8def77979ad591a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jogya.exe

Filesize
223KB

MD5
7884f3bab1682abd0081ecee9af21621

SHA1
426a4f2637f96346baf2f390255a4e3c11132482

SHA256
b0925656b56fd9bc46e300e5e34d2972d6f64f4c2ec736bd22208b27f39ba160

SHA512
3827b9da79630ae1367833ac743b4f2c853cd6fafc81ea657801e7895da3526cb032acc9a6a3aa9428c1adee0e69b1f84107c371d1f9a78c5dfcb432d57b732a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiziti.exe

Filesize
400KB

MD5
81c756d97f62379727ff8935d10d0a59

SHA1
ecf6a8d7a337e5fbae1f645d17eab79077a9c740

SHA256
3a05a8d0f9afb2482044eee7eebf8edb5aea33e6959e0fd6ad836811aa5b1e1b

SHA512
d7609a93c6ad073b1f7076dd7e64abd947db1d4907199ddcfe28e1a644d952cfa186cffa239a263fbb47e05c9c7cbebaa78a8d1df8bc631ff43ead9878a4e869

Download Submit
memory/684-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/684-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1792-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1792-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1792-27-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1888-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1888-11-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4328-38-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/4328-43-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/4328-44-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/4328-45-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/4328-46-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download
memory/4328-47-0x0000000000DC0000-0x0000000000E60000-memory.dmp

Filesize
640KB

Download