urelas | b5fd98b65aa8b427bbc3ad34d95b0598218102793a3e645a59e40f121c5d2e3b

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
Size

480KB
MD5

bf731b4a8a954e8a42ba9fec29607bdc
SHA1

9c5e606d8cd82cfa8682df33abe744fd6155d777
SHA256

b5fd98b65aa8b427bbc3ad34d95b0598218102793a3e645a59e40f121c5d2e3b
SHA512

17df5a6c1a27b3c79ed4f572f1b1a0d7bf3937f4a8d3acb50b1962d0fed7866f3e099a5d96ebd07d6045cf0c8ab9a9f250c2683ecc3c4d8473de88b87dcafe25
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVO9:TQRI/3w36EnCYcFE/iydJai/WZti

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	doown.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	doown.exe
3296	otyxi.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f00000002405d-20.dat	upx
behavioral1/memory/3296-24-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3296-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otyxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe
3296	otyxi.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2380	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	89
PID 2136 wrote to memory of 2380	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	89
PID 2136 wrote to memory of 2380	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	89
PID 2136 wrote to memory of 4624	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	90
PID 2136 wrote to memory of 4624	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	90
PID 2136 wrote to memory of 4624	2136	2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe	90
PID 2380 wrote to memory of 3296	2380	doown.exe	108
PID 2380 wrote to memory of 3296	2380	doown.exe	108
PID 2380 wrote to memory of 3296	2380	doown.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_bf731b4a8a954e8a42ba9fec29607bdc_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\doown.exe
  "C:\Users\Admin\AppData\Local\Temp\doown.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\otyxi.exe
    "C:\Users\Admin\AppData\Local\Temp\otyxi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
cf453d58e8b9d182d060231c60c81fcd

SHA1
27ea83188a19f7341a7dccad169792071d2475bd

SHA256
2bd53a2781dc7c291258afcb6fa6130b4120fddb4233816155796958d243f240

SHA512
b728a8e16a524c3bee9d252626c9c619fb801040ac4a17f99fd0671047d7f867c657dc20d288ab880cb3b09961f7cec2fd23facb620cf20fedc43ae2ba01ae3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\doown.exe

Filesize
480KB

MD5
375b143e730c0dd85768d83bd3ec7864

SHA1
74e92e0bcb4aab06ff515bc310da2e0d83b92092

SHA256
72717a30f4ef78cdbeb6fae41af865f333201b052ed90552518ff079991d2d72

SHA512
d2fd6b40ccf5dee7a81c6b3df569949855f7bfbd2edeab01333625521c8de51aa259d5b05571b25c57d8f543da358f57ce2ef1e020cb2f9d36a812073e9e261b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f8a61aab1a5bec920353a67b0e374873

SHA1
cfa884efac7273503aef8e0c1eac11dfe83fc6f8

SHA256
d8cb7f17203e4d210cc929fa2b1f582af1ebb0759e6ae00c464f238a22528ea2

SHA512
ec128f25d7b6f70eeff98bea0db53b453c425283be7fe5de5be0b4195547ddf8de65e1c14bebb3c14a9b6fcf6d5267e3f269cde4842ef03472b2621ca51de177

Download Submit
C:\Users\Admin\AppData\Local\Temp\otyxi.exe

Filesize
209KB

MD5
379a13d995b4bea4ec89a4a482d42663

SHA1
d81f64a2d48efd7df038c8f511bb6fb9654662ed

SHA256
301a5b007adbb3677969a495f3275b9d5ffa59110c8560e944bff9e1f07b56ce

SHA512
1fc9e12efbb4dd22666619bb3fddddb8cf559f7926c9f8c316cace18ec4634fe73379b6ae270aaad0e6bd79bddc1e95d90522b470c0de512cb8835334c8dd47a

Download Submit
memory/2136-0-0x00000000004E0000-0x000000000055F000-memory.dmp

Filesize
508KB

Download
memory/2380-13-0x0000000000420000-0x000000000049F000-memory.dmp

Filesize
508KB

Download
memory/3296-24-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3296-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download