urelas | ac47050eb8e0bb2e70212d6f6e33fa05eb47439e0871bc23ad77aa7b749d7810

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe
Size

516KB
MD5

bbba67b38a348eaed7e7f84661a379e8
SHA1

fd6fa49f7f8cfa5ad431a7c0c8547a66168eaa5d
SHA256

ac47050eb8e0bb2e70212d6f6e33fa05eb47439e0871bc23ad77aa7b749d7810
SHA512

fcc689683f63ed2092421994515f2f24704b3e403612ad48ccb13a14806dcd18846e896eee34cbcac03319bbc2b9fe02876e24fb3c1c28a9505c8a68133f359e
SSDEEP

12288:c2PxDgZo3ijniealtYDG7MzZSHJcvEj8dmoS2us:c2SLi7LT7Mifje

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ivfor.exe

Executes dropped EXE 2 IoCs

pid	Process
3320	ivfor.exe
4560	voicv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1284-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x000f00000002417c-6.dat	upx
behavioral1/memory/3320-11-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/1284-14-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/3320-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/3320-27-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voicv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe
4560	voicv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3320	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	91
PID 1284 wrote to memory of 3320	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	91
PID 1284 wrote to memory of 3320	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	91
PID 1284 wrote to memory of 3716	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	92
PID 1284 wrote to memory of 3716	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	92
PID 1284 wrote to memory of 3716	1284	2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe	92
PID 3320 wrote to memory of 4560	3320	ivfor.exe	109
PID 3320 wrote to memory of 4560	3320	ivfor.exe	109
PID 3320 wrote to memory of 4560	3320	ivfor.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_bbba67b38a348eaed7e7f84661a379e8_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\ivfor.exe
  "C:\Users\Admin\AppData\Local\Temp\ivfor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\voicv.exe
    "C:\Users\Admin\AppData\Local\Temp\voicv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
28abfaf676dc601a29b26fa2facd4b84

SHA1
0bff24df37effd208689765e15d37245d66d2fae

SHA256
70a1afb80e3e0f0f55192c19ac855e443f1a4d71baf18086ad67fe00739706e8

SHA512
8741cb4828bdd456fa043a964adc78a9d03eb7719e2d57b02c79e59d36c5d768f14799de3d8ce5ebed7eadaefb8c8cee385a0ddde66355f9c7a622a45dde27e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c59801f96b0efb78f6d0d0a92a9b549a

SHA1
71e79f6d30697132e3f9a113dfe96e591673fa54

SHA256
349a86d52345ff9b5e7a925b5e381cd608e2e56d309d2c1e211c94029ec2c647

SHA512
4108acfa6920b4ca360aa9c5f489635cea0d094980448e86e51f04f7ea903106229b60f76f1f58f14fe3ef11e0c923432bfa6fbca471f0a4346f1ae6fac9d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivfor.exe

Filesize
516KB

MD5
2538a1f8fe9e8fcddd7f33ceab93157d

SHA1
98b84d2243299504b12742f5beb08ac04755379b

SHA256
76c481f54096c5c47f18f8168c0459b878caa3e951be72ee6412447413921643

SHA512
1a1ea37ca4eb60cd7086f74ba8722e4f296a62a50f94e374c306015df8c4a53ba8e56075b43bec27bcc2a78f04d2cae8765ea27c9153906ff970ae7bfdfa72f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\voicv.exe

Filesize
230KB

MD5
a1a171f164cdf508d0c1b1c32fcd2e36

SHA1
888d6624e0329d831fb1a72fa4460ecb4147141e

SHA256
3bfd49da8ae8822cedc0a4a0929b2fabb60be0c1d8d61caf94cb69cb594e657b

SHA512
dd4086cd281bee81642ab3694cbcb906d4fb93ccf48035fe9351e6fb11697789bd902bdfad84f2714f1b1da3ff511542ddb607aeac4b180b023a20f06289f442

Download Submit
memory/1284-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1284-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3320-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3320-11-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3320-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4560-26-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download
memory/4560-28-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4560-30-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download
memory/4560-31-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download
memory/4560-32-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download
memory/4560-33-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download
memory/4560-34-0x0000000000730000-0x00000000007E3000-memory.dmp

Filesize
716KB

Download