urelas | 5545361e116b880f0566820348884d476d1a49b7f3252f1ea3809cdf1507ac43

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
Size

400KB
MD5

2e9a9f1c407015f74526495af68dc7af
SHA1

482532090dbf3f7d3afe1c629f15819788ac650b
SHA256

5545361e116b880f0566820348884d476d1a49b7f3252f1ea3809cdf1507ac43
SHA512

a4e96f7c3033f703b23a6a5dd5f57f04a4222d5b6d1ed964a0c0b456b15c3ad44d3466d62fa472c89d44518cff4222ffd74189f924dbc89e56d2fddc14a5a8c0
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnOA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	puibe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	muvaze.exe

Executes dropped EXE 3 IoCs

pid	Process
4408	puibe.exe
5332	muvaze.exe
3532	dytuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muvaze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dytuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe
3532	dytuz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4408	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	88
PID 2028 wrote to memory of 4408	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	88
PID 2028 wrote to memory of 4408	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	88
PID 2028 wrote to memory of 264	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	90
PID 2028 wrote to memory of 264	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	90
PID 2028 wrote to memory of 264	2028	2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe	90
PID 4408 wrote to memory of 5332	4408	puibe.exe	92
PID 4408 wrote to memory of 5332	4408	puibe.exe	92
PID 4408 wrote to memory of 5332	4408	puibe.exe	92
PID 5332 wrote to memory of 3532	5332	muvaze.exe	111
PID 5332 wrote to memory of 3532	5332	muvaze.exe	111
PID 5332 wrote to memory of 3532	5332	muvaze.exe	111
PID 5332 wrote to memory of 6128	5332	muvaze.exe	112
PID 5332 wrote to memory of 6128	5332	muvaze.exe	112
PID 5332 wrote to memory of 6128	5332	muvaze.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_2e9a9f1c407015f74526495af68dc7af_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\puibe.exe
  "C:\Users\Admin\AppData\Local\Temp\puibe.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\muvaze.exe
    "C:\Users\Admin\AppData\Local\Temp\muvaze.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\dytuz.exe
      "C:\Users\Admin\AppData\Local\Temp\dytuz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:6128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
d9cdf5874b2adbe8ed02f9d39788f543

SHA1
729aa6282f85f5e0dfcde0438715f29f20c29bc2

SHA256
9c1a50266469a81283e2f378d51f944c437147746a375863c3dc1619d79a2c53

SHA512
bd3ec95ae9e3e9d6acd763b45757a5a759345b09da71c5e6537b1c7f7558baacd368f98514017a71da2249d0425cef7e53058798a54052c0abc730668f0e8bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0179858952117d4736aee58900edcbc5

SHA1
218e30df62d5df32671b0c66ea32db6b20a4ac17

SHA256
37b8cefca6cd8adf8e412c76624293d75a637f7491aaab15299fe7f9fef05379

SHA512
785a2379a013b625b5dddaa0b59ac291f0f331b6ffca784828406e646758b88c96839428226bcae0e8be28d89240ca69a70ab2d87190f31876e1434b6caac58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytuz.exe

Filesize
223KB

MD5
21864d4fd4fefbf3a2b6c662c0b21cb9

SHA1
6936a9ad8bcaeefd35a32c937be3b55ebddac4a2

SHA256
1ad7948e92a168be1d359adc7cb3d0997e133978358f554de83afec93aa8f76c

SHA512
d204a197adc5ec65dbb5fd2a5e02c91bb465ba29c9c5f035b4d2ee367b0fc46cb5673fddfd26d704206c8184041a9a25002838a1c44b5b9173fff2e33699be2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
967aa8c7733120288dde6dfe47569567

SHA1
e6f8c51be4f60bc833e5575f66559107c77f6fec

SHA256
d53ef2b611c467c9f3707d0d3e150b753078cdcbda71730dc10922ed737606c6

SHA512
d892dbc61e6aebab9f709902d393263be989e942656c808a22b463f45f93441215964d0ee3a711bf4cc8ebb8d31c1c14a030100b4f5d3cc951126d0e73fb4b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\muvaze.exe

Filesize
400KB

MD5
e55b5cd91fbd48bfae11f2bc0be82aa3

SHA1
b1b98583d0e68e75e95e7d9e9e3d470bf5837f0e

SHA256
492aed48d78d88ddc2360e1ded297afb04249f95e93054984e59ba5dc998422a

SHA512
7ea150d3bddeade732e1365d15c9416ba68139f17ca53f868351c61cfc8a64fa66d55d5a15697d3d6a872ac4a0bc57244b30a2a586db775c177691b688a82f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\puibe.exe

Filesize
400KB

MD5
2ce2ba9bc3a606d825ea98299509d79c

SHA1
4f0b82f8392d40d791edb877181fb0f93af0ee8b

SHA256
1547bfe312dbf48bde693eda96d7c8369cd79a6e6f38ac17d3b93d82702606c7

SHA512
7401132b2cd16ce2230afe5f02eb55ec4890e959c69dcadda0548968671d8920862e60393c411af7bcba84a535d1375faff2c038ac83271f87868c712869ff88

Download Submit
memory/2028-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2028-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3532-43-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3532-38-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3532-42-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3532-44-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3532-45-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3532-46-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/4408-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5332-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5332-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5332-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download