Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
03/04/2025, 07:54
General
-
Target
2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe
-
Size
516KB
-
MD5
4f7fd13dd800b2cca37b739573ebd100
-
SHA1
1199d9df2ae9d2e67f7c7b27bfada1e3fb3f7348
-
SHA256
97d4f7720474df2c1a3a93b342e32600926f108f7f2331f35ecbb4992130144b
-
SHA512
5b0723607ac054e969b8e54c77545033cc1891d547eff414e0a48a936411437e3eb1b5779bc28a71de2cbf041255dc4810bbcb1271ad84dedede43560744a592
-
SSDEEP
12288:c2PxDgZo3ijniealtYDG7MzZSHJcvEj8dmoS2ud:c2SLi7LT7MifjT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\caloi.exe"C:\Users\Admin\AppData\Local\Temp\caloi.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\riviq.exe"C:\Users\Admin\AppData\Local\Temp\riviq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338B
MD59a1f06a8c2f116636f11e44a85802c37
SHA166c400bfa044cba30ca789dcea4fc4b1afb5d6d9
SHA25682bba2a72229d63120b6e3dde4cc2c3d9d426d0f2212ad9f2aac52d5eafdaad0
SHA51258fe8b107f18bdecce0bc2cdea0ff3a474648b36e7c2241d21e0f6b366ca4bc7fd28990380fc62361f79b99c4d4f2efbb610ecb1f23202f5d3e463d4c7c0041d
-
Filesize
516KB
MD50409839629df69cd71843efc7634cded
SHA1c853f3ead7519b6d816d6a6645b7790ccf2fa2d2
SHA25649b61480ec1cde2424507dcdce137d98708a31be7b83fbc5e36040ddd1585e33
SHA512c7f050cb8c074dde679c6dcbf7c0a2ec1d0c645391e3f374d8227c13d4342c8cb9fc545d63344a89f0f54b9d1057e79f1fd93397827ca815d0f3141eb4ac2e83
-
Filesize
512B
MD575315efbd52d7b0e5455789043f3eb08
SHA17232b7f63a86752c99406710b6c8b8a6d1c1656e
SHA25642cf3524ed61cfa489f1132339e3e134be8cac928a8054e253d35b75b48c530c
SHA512a0d4cfcfe4f6eae0db0e09d570ce736a918e60a96ebcb6bbdecaa6bf176987023307398e4cb898d0b9b8be605f345d7f61cbca388b788078b3a009673eca48de
-
Filesize
230KB
MD54f28c398e60fb3eabbc4af7c558ca615
SHA1c13d01bd0d05d571ee437628561cebc80df1bb20
SHA256d18674266bfcc672e3463d43faf4daaa02e3c35f09cfada8d4e9c01a782954fc
SHA5124d9e9fc25ac40758af2350333214974393e08e71da27dd534c255c52a37b12cfdd01b97f794e1b22354405bcd5c180af00e6fff09f2196371f05343602c645b8
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB