urelas | b5fd98b65aa8b427bbc3ad34d95b0598218102793a3e645a59e40f121c5d2e3b

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
Size

480KB
MD5

bf731b4a8a954e8a42ba9fec29607bdc
SHA1

9c5e606d8cd82cfa8682df33abe744fd6155d777
SHA256

b5fd98b65aa8b427bbc3ad34d95b0598218102793a3e645a59e40f121c5d2e3b
SHA512

17df5a6c1a27b3c79ed4f572f1b1a0d7bf3937f4a8d3acb50b1962d0fed7866f3e099a5d96ebd07d6045cf0c8ab9a9f250c2683ecc3c4d8473de88b87dcafe25
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVO9:TQRI/3w36EnCYcFE/iydJai/WZti

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	xyajb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	xyajb.exe
3208	obome.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000023f74-20.dat	upx
behavioral1/memory/3208-24-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-25-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-32-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-33-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-34-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-35-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-36-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-37-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3208-38-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe
3208	obome.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1052	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	93
PID 5072 wrote to memory of 1052	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	93
PID 5072 wrote to memory of 1052	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	93
PID 5072 wrote to memory of 3576	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	94
PID 5072 wrote to memory of 3576	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	94
PID 5072 wrote to memory of 3576	5072	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	94
PID 1052 wrote to memory of 3208	1052	xyajb.exe	114
PID 1052 wrote to memory of 3208	1052	xyajb.exe	114
PID 1052 wrote to memory of 3208	1052	xyajb.exe	114

C:\Users\Admin\AppData\Local\Temp\2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\xyajb.exe
  "C:\Users\Admin\AppData\Local\Temp\xyajb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\obome.exe
    "C:\Users\Admin\AppData\Local\Temp\obome.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
cf453d58e8b9d182d060231c60c81fcd

SHA1
27ea83188a19f7341a7dccad169792071d2475bd

SHA256
2bd53a2781dc7c291258afcb6fa6130b4120fddb4233816155796958d243f240

SHA512
b728a8e16a524c3bee9d252626c9c619fb801040ac4a17f99fd0671047d7f867c657dc20d288ab880cb3b09961f7cec2fd23facb620cf20fedc43ae2ba01ae3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4260c863a74fb7e53dfa5faf5c8d59cc

SHA1
069c6d5207673f4f6c260065284e18d6c7582ee4

SHA256
c0de5317e9ea988bc1b3632e694639b85a3fdb3e0be746cd6a42848a3ef562a1

SHA512
1ae197253f1c95be79e9fa253f07d79566c645c959860ab43b3c9019075ff72d0aae1de3092633d42d55923c05ebfcb153f88de0dcaa9afe3eb8202a49e93166

Download Submit
C:\Users\Admin\AppData\Local\Temp\obome.exe

Filesize
209KB

MD5
7ce4a9f4785bd8c03822c018ac2dcbe8

SHA1
465fca624b72a62299fe65a47f815df26341760f

SHA256
bdf8099779eca1cfa9e6f6e3f11d4a36cdee9fb70e0d013ba64bff4cf48b038f

SHA512
4b6cac70bb26993af3dc4ded47c76fd51811c96fab57618f2085ca3ffc2d98f0297ca795da21df05289357d747ad61af71bd42d772a4d9d84bb9422298141fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyajb.exe

Filesize
480KB

MD5
b9cb6855d626dc90b3c4359987cd75f6

SHA1
9a8c1a99aa41c789bfb64fe9b13840254f2368d4

SHA256
5895333f776af6672721af6555502bf73f807a5b3e0c4f6c894436dfc13247eb

SHA512
44890df724bce7fb6e87ce6e135eb443bcaf7c2945b20813febfeedf5287bc3ff07202d3c3401e05c7fc7a68ae59546ec18010a0f437475f1677a9fdb1415be8

Download Submit
memory/1052-11-0x0000000000170000-0x00000000001EF000-memory.dmp

Filesize
508KB

Download
memory/3208-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-24-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-25-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-32-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-33-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-35-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-36-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-37-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3208-38-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5072-0-0x0000000000A80000-0x0000000000AFF000-memory.dmp

Filesize
508KB

Download