urelas | 93b4f3c20a29fe478f45a63066091b522c54bc2d7622f8197a005c77bc575427

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe
Size

581KB
MD5

9afcf980e258e8937b1a40da46ef450a
SHA1

71a07b8d9767ff5cd75144b2b48e8b1056708be0
SHA256

93b4f3c20a29fe478f45a63066091b522c54bc2d7622f8197a005c77bc575427
SHA512

21d46e1a50f5322bd2d00b1fb204e4da2853bf86256671b222dcdf4d410c84d4cd2c3503a5eed1e92624b058ead51ad0fe3dede3bc91d7cc38bc4b28cd9469c7
SSDEEP

6144:JajY1oC+/U8Vjlx4kk9HKda4L38c8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQwe:fOlx4kk9HKda4YJoSiQi4kVdcQzjkD

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	byobw.exe

Executes dropped EXE 2 IoCs

pid	Process
748	byobw.exe
1952	seris.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/400-0-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/files/0x000700000001e449-6.dat	upx
behavioral1/memory/748-12-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/400-14-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/748-17-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/748-28-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byobw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seris.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe
1952	seris.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1952	seris.exe
Token: SeIncBasePriorityPrivilege	1952	seris.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 748	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	92
PID 400 wrote to memory of 748	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	92
PID 400 wrote to memory of 748	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	92
PID 400 wrote to memory of 4284	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	93
PID 400 wrote to memory of 4284	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	93
PID 400 wrote to memory of 4284	400	2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe	93
PID 748 wrote to memory of 1952	748	byobw.exe	112
PID 748 wrote to memory of 1952	748	byobw.exe	112
PID 748 wrote to memory of 1952	748	byobw.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_9afcf980e258e8937b1a40da46ef450a_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\byobw.exe
  "C:\Users\Admin\AppData\Local\Temp\byobw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\seris.exe
    "C:\Users\Admin\AppData\Local\Temp\seris.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
8cb9447c4b5a9d08216b9bdfc385f32c

SHA1
9a403bacf29e1b5b5ce60cc0bc25eed57cc85562

SHA256
26f279134d88ca92fbc453bad6e83aa1460c15f7e9219c01bf690777a0a33980

SHA512
e08913042f73bfcb58fa0e7519389130dadb1b1e1742b83f4e5055f8909594a4774071f75abae70ed04a7be83d31ba0bf5dcad16e5b5cb1c05c1fdef945cd914

Download Submit
C:\Users\Admin\AppData\Local\Temp\byobw.exe

Filesize
581KB

MD5
ac5be0560bf3b68d52ff26a4e866e026

SHA1
8e60dcbaf1d663ec50ac7f05a4ecdb1233730f09

SHA256
966d8413f288ef6ed082cac30d0d5946b17018331c2fd451851edf440e99d781

SHA512
804d828da840c7b21e9557c9a1a709ea55a0f8be588ff3e2887aaf697e60549ce041ef61984dcda8d159a6e9bf092aaf2600bc456f7ef7173f16fcab7af3585e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e6bd534e29444a3ce7ea12654c6d4298

SHA1
6d3fe18a9d4a7099bab8e68063efc28f45972f09

SHA256
c07afa7514e9ac40a53458495cda634f90127db15071ee3602fc028a33e75e85

SHA512
bc38fbf38c018997d3621ca8e554862b9b145f1a5cf8235f8938536c3cdd44bb379f7bda03e9749a6a791b2287897737acfea80e5497e65fe481436c6bc118b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\seris.exe

Filesize
201KB

MD5
e6ae7b89b0d9f8ea09c1378923d7cbf0

SHA1
fd6acf13f90216e8564769e20f880a8bd6386f82

SHA256
658274d05cda6e627bfd970a2b7b9b6bc4beb223543207d6942f1924e4448a94

SHA512
220a43851b1db9b05217f060867c30499e3a7aca54de0b80a769173ca026513182c2e025e468f350a4e185fac4dc09b5acd22e54af04e12acc659334637af896

Download Submit
memory/400-14-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/400-0-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/748-28-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/748-12-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/748-17-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/1952-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1952-26-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1952-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1952-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download