urelas | f2f1e80dde8e6bab909cae0f8fdbd38cd5a4371bd8ea93b66d135e7030622664

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
Size

581KB
MD5

79edff08b4c5acd81e001446292b905d
SHA1

1950177af6fac20e05c39656e0e2beea7684808a
SHA256

f2f1e80dde8e6bab909cae0f8fdbd38cd5a4371bd8ea93b66d135e7030622664
SHA512

a85cc9f0423c1e1a84d09eb770882072a91f0e570599ee935ec8d6ee11513b78dfef83ff357d969086dad296ceef7cf7ae35462630904206b99e0a56c637c4a2
SSDEEP

6144:JajY1oC+/U8Vjlx4kk9HKda4L38c8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQwS:fOlx4kk9HKda4YJoSiQi4kVdcQzjkP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	yqber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe

Executes dropped EXE 2 IoCs

pid	Process
5008	yqber.exe
4896	nypua.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/files/0x000d0000000240f8-6.dat	upx
behavioral1/memory/2676-13-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/5008-16-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/5008-26-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nypua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe
4896	nypua.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4896	nypua.exe
Token: SeIncBasePriorityPrivilege	4896	nypua.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 5008	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	92
PID 2676 wrote to memory of 5008	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	92
PID 2676 wrote to memory of 5008	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	92
PID 2676 wrote to memory of 996	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	93
PID 2676 wrote to memory of 996	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	93
PID 2676 wrote to memory of 996	2676	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	93
PID 5008 wrote to memory of 4896	5008	yqber.exe	116
PID 5008 wrote to memory of 4896	5008	yqber.exe	116
PID 5008 wrote to memory of 4896	5008	yqber.exe	116

C:\Users\Admin\AppData\Local\Temp\2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\yqber.exe
  "C:\Users\Admin\AppData\Local\Temp\yqber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\nypua.exe
    "C:\Users\Admin\AppData\Local\Temp\nypua.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
300cc529b9fd8a59f4d5de76a6d2e587

SHA1
108b9e7be6c96af41890990a1d4a39a8ee8a5116

SHA256
7d42a782be1d4b062a1674952853540cdea104b2a6f80fe8f551f9c7ebdcf6ba

SHA512
3711c966c27224b77b25a77e4bb9651b0515b28302fec8db22a89b6653267d5c2c72c3ea16390f1746bc08f23b333c53ec5066da935b9818ee81beaf5c83ae46

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bccd75e5b613dbd28d55e247701a291c

SHA1
8a0dab817b2b6cc7545306b786ec909cc9fcef14

SHA256
2fbdedb13d8d1713b1805cd8dc94f1d3b7586b1a79b5e348ffe4c021d41c5e95

SHA512
ff809c04d7046a6e6f9269ea53808deb991e9f5ac3d316888f6f04f5051ad4095ce4f461e2a1d59c650093d67b8d696eeb79cc83840edae7f21413df4bbaa184

Download Submit
C:\Users\Admin\AppData\Local\Temp\nypua.exe

Filesize
201KB

MD5
8c03b62a4f75c364b9ecfa556502dcd2

SHA1
f2303cd47fd51216f842cbfcef86ae754d0994f4

SHA256
9596c7c2a772c1b9bd707688dac44849efabe931fcc1a7e49992560e7558eef0

SHA512
24bcc1865e7a7730a80a062881c996d519476cb5ad0898abc17409004651cadcb44ef681829056029cf564f83d91eb013b02878fca310a12566f91f5d2374f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqber.exe

Filesize
581KB

MD5
b543f32070fa424f9cce4819147dd448

SHA1
838314514bfaa4003cec759cea447791fafaff1a

SHA256
548cd7d0b69a58f4a575c1cb999feab9c17c3835587bd181d4606e677b45231c

SHA512
a4cf4443fa8ffc21ba888cc6b208e6b45fcab641de430d502e8e98597fe3af48ed04bbc33bf8bcb78b75ba41bd46d26d92412ed3f0df5d718556006382a6ac99

Download Submit
memory/2676-13-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/2676-0-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/4896-25-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4896-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5008-16-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/5008-26-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download