urelas | f2f1e80dde8e6bab909cae0f8fdbd38cd5a4371bd8ea93b66d135e7030622664

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
Size

581KB
MD5

79edff08b4c5acd81e001446292b905d
SHA1

1950177af6fac20e05c39656e0e2beea7684808a
SHA256

f2f1e80dde8e6bab909cae0f8fdbd38cd5a4371bd8ea93b66d135e7030622664
SHA512

a85cc9f0423c1e1a84d09eb770882072a91f0e570599ee935ec8d6ee11513b78dfef83ff357d969086dad296ceef7cf7ae35462630904206b99e0a56c637c4a2
SSDEEP

6144:JajY1oC+/U8Vjlx4kk9HKda4L38c8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQwS:fOlx4kk9HKda4YJoSiQi4kVdcQzjkP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	jojye.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	jojye.exe
1324	wunyl.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5992-0-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/files/0x0009000000022edd-6.dat	upx
behavioral1/memory/2212-11-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/5992-14-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/2212-17-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx
behavioral1/memory/2212-28-0x0000000000400000-0x00000000004BF26D-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wunyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jojye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe
1324	wunyl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1324	wunyl.exe
Token: SeIncBasePriorityPrivilege	1324	wunyl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5992 wrote to memory of 2212	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	90
PID 5992 wrote to memory of 2212	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	90
PID 5992 wrote to memory of 2212	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	90
PID 5992 wrote to memory of 4720	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	91
PID 5992 wrote to memory of 4720	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	91
PID 5992 wrote to memory of 4720	5992	2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe	91
PID 2212 wrote to memory of 1324	2212	jojye.exe	108
PID 2212 wrote to memory of 1324	2212	jojye.exe	108
PID 2212 wrote to memory of 1324	2212	jojye.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_79edff08b4c5acd81e001446292b905d_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Users\Admin\AppData\Local\Temp\jojye.exe
  "C:\Users\Admin\AppData\Local\Temp\jojye.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\wunyl.exe
    "C:\Users\Admin\AppData\Local\Temp\wunyl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
300cc529b9fd8a59f4d5de76a6d2e587

SHA1
108b9e7be6c96af41890990a1d4a39a8ee8a5116

SHA256
7d42a782be1d4b062a1674952853540cdea104b2a6f80fe8f551f9c7ebdcf6ba

SHA512
3711c966c27224b77b25a77e4bb9651b0515b28302fec8db22a89b6653267d5c2c72c3ea16390f1746bc08f23b333c53ec5066da935b9818ee81beaf5c83ae46

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
027e46e98a86d1656de5d36a5d1b481c

SHA1
92f2509edd6acd0d1e51823be106faf10e7095f0

SHA256
e7d6bdb198b229a8a845dfdf2dd685cb080858cd9acfd95b2065598b122979f4

SHA512
bfce877b2eaa5fab1ed7da3b08b335844a1fb765f28f717f6e2e42cd6d247edeb228183f341fa14369c99ebb0d21f3fe6f720dfa32d260864b81d7b27165f3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jojye.exe

Filesize
581KB

MD5
91087daf8d87125d8b8caa74b844af58

SHA1
7de2d9f8e67b4e1741fb2b389b68e0126b4ff118

SHA256
c198ff17aedf64b83e9c7794e4f4af9b1c264691634d4948af8f78b70b776c00

SHA512
708d2aac95e0592f7cf0097994541892e4382a3273379fc921fb42e39fc753f3eaa860c82c3849cc2d1f57ef6a315b51e41820c8d436735a321fb67048ba90f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wunyl.exe

Filesize
201KB

MD5
2caa177b7b546ccf9cf0070f8bd4d453

SHA1
9c80b980f22ac2147711270dd6e67566450cbb80

SHA256
4ca9ea8ca824ec7a476203e68ba2cae5761c1c1529dba00ef51c4d48126ac6c2

SHA512
a2490738b5567001eba1428f18cb29d619ab6f661ab4fae45a13d843e707ce3b8efb169198f80fcf71b116949b0a8924d7d52a24ac2e8b40c10aa70332b23bb5

Download Submit
memory/1324-26-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1324-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1324-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2212-17-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/2212-11-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/2212-28-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/5992-14-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download
memory/5992-0-0x0000000000400000-0x00000000004BF26D-memory.dmp

Filesize
764KB

Download