urelas | 76cb35b5bb2e2df67d716081a2611f6bf86f72ec683c6c0b5944284fd7b9e15c

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe
Size

581KB
MD5

1dc7897f0e9fd46cfa9c416c39b8d70e
SHA1

ae447b8f69b37336c546a1f98647fb5ff2c2ae38
SHA256

76cb35b5bb2e2df67d716081a2611f6bf86f72ec683c6c0b5944284fd7b9e15c
SHA512

8d058f67b92529c6d6d51172439ec91f06a4af5a28fcc23098685e59ff15be169508a48b38712cbd0490c1ed6cd3358def305703bbf302bcea05483ce00f3766
SSDEEP

6144:JajY1oC+/U8Vjlx4kk9HKda4L38c8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQwM:fOlx4kk9HKda4YJoSiQi4kVdcQzjk1

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	enajq.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	enajq.exe
2456	kyxyh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3964-0-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/files/0x000500000001da70-6.dat	upx
behavioral1/memory/3964-13-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/2168-16-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/2168-26-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyxyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enajq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe
2456	kyxyh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2456	kyxyh.exe
Token: SeIncBasePriorityPrivilege	2456	kyxyh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2168	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	93
PID 3964 wrote to memory of 2168	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	93
PID 3964 wrote to memory of 2168	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	93
PID 3964 wrote to memory of 4372	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	94
PID 3964 wrote to memory of 4372	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	94
PID 3964 wrote to memory of 4372	3964	2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe	94
PID 2168 wrote to memory of 2456	2168	enajq.exe	113
PID 2168 wrote to memory of 2456	2168	enajq.exe	113
PID 2168 wrote to memory of 2456	2168	enajq.exe	113

C:\Users\Admin\AppData\Local\Temp\2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_1dc7897f0e9fd46cfa9c416c39b8d70e_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\enajq.exe
  "C:\Users\Admin\AppData\Local\Temp\enajq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\kyxyh.exe
    "C:\Users\Admin\AppData\Local\Temp\kyxyh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
90360bcdad9401b2751bd7b15910a849

SHA1
b95fe675d06cac979a390fa2a89a64d9eb24ba38

SHA256
bf87005f91a4029834acbff391385fbae21df3107b47807365e53ea5d28fd6d3

SHA512
d286aba7edafddf659c08b75779ed4afa5b6fe1942e99ace398ccf886c63cce6f6acf270cc68cf32e58ff1ad5e1a88a63fb89bdbfab52d80abfb35907031c0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\enajq.exe

Filesize
581KB

MD5
507f6297501e7a26096055fd95b0ed91

SHA1
89d285da7e6a389637ef768c2f2abe805efa1288

SHA256
39ef9ed4256141f881a5e92b606dc2d2397ac2373fcfcce2a559e01744db74f5

SHA512
d0b7c61442e2dc98e4dbaff4fecc7c623f51ab6c1184ffbae5eb4bfa6940b066a70b95440c385e1a5d8b05040f1dd74344c9fcb992e03394567e929a0b902485

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
86a9691750f3e3e16599088db57acc34

SHA1
53a4751c3021bd0e101163aeed55574b040e10a3

SHA256
e84a45039f20709beced2f533ccc1a6cda1da7c869a0628ed4f0ed0d489d7515

SHA512
bf645d6d24bb450e0aa67c7093bdb7d9e6e76e32ee4456be3137369a2bff6ed32b1e02b4e7639516c367c9fa433e7946de6f11fe38c02e80b567cba56bb6e857

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyxyh.exe

Filesize
201KB

MD5
4eced25d2855fb6edd723ed14fbda715

SHA1
9363d48cefa4defb8b32092ec300d1982b18f140

SHA256
28e9ef5cf16a749c256d7f6c98dd2977bbd2a5cc53d5700a61e6e1cea7815e7c

SHA512
5886330b112bbd406b43206e6df14be26d67ab2d3e52907083a089fa6f14aea505d05b59090e781e3053192160fdfc0ece4876354bc8839fd9c92dfcaef5579c

Download Submit
memory/2168-26-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/2168-16-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/2456-27-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2456-24-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2456-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-0-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/3964-13-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download