Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
03/04/2025, 08:00
General
-
Target
2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe
-
Size
516KB
-
MD5
4f7fd13dd800b2cca37b739573ebd100
-
SHA1
1199d9df2ae9d2e67f7c7b27bfada1e3fb3f7348
-
SHA256
97d4f7720474df2c1a3a93b342e32600926f108f7f2331f35ecbb4992130144b
-
SHA512
5b0723607ac054e969b8e54c77545033cc1891d547eff414e0a48a936411437e3eb1b5779bc28a71de2cbf041255dc4810bbcb1271ad84dedede43560744a592
-
SSDEEP
12288:c2PxDgZo3ijniealtYDG7MzZSHJcvEj8dmoS2ud:c2SLi7LT7MifjT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_4f7fd13dd800b2cca37b739573ebd100_amadey_smoke-loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uflee.exe"C:\Users\Admin\AppData\Local\Temp\uflee.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hyluq.exe"C:\Users\Admin\AppData\Local\Temp\hyluq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338B
MD59a1f06a8c2f116636f11e44a85802c37
SHA166c400bfa044cba30ca789dcea4fc4b1afb5d6d9
SHA25682bba2a72229d63120b6e3dde4cc2c3d9d426d0f2212ad9f2aac52d5eafdaad0
SHA51258fe8b107f18bdecce0bc2cdea0ff3a474648b36e7c2241d21e0f6b366ca4bc7fd28990380fc62361f79b99c4d4f2efbb610ecb1f23202f5d3e463d4c7c0041d
-
Filesize
512B
MD5359dcce17352fbf36144901be3007b4b
SHA1583fdebb970f95b5baf8277e8a1ee119512d5b99
SHA2566d9e1c5b50e50074326d15aa4bcbdd3214089e2d200a03b48c8669f7f487d57a
SHA512c51eb6bd84f18121a67a80bc25af1d69682735ad085f9cb9fe6806f928a2393437c3aa5745809a9e911e762439898dbf8af8c4075814fab03b3c5c0c5f24dfb3
-
Filesize
230KB
MD52aadab5a85db6e382a7c6b8b3da2791d
SHA1dba3a6e52b69c44eb87c505e162a1f67258a14c3
SHA2569dfb985f77fab1d90540eb1856a2f4bf70c05763dd2e43ce83eaec1bc6c61006
SHA5121c74183ee812b2fcdcb81022e4d43f69531df8194cabae9ccb5fe8917b668688700344d4f4a523a62fd935618dc3a0c6086252be04beb198373bf62346c9b3f5
-
Filesize
516KB
MD592ec2a8e0188393bd8482816eb4bbea6
SHA18e2662eafaa4c8e18c9f3449bd7c87c1a35998c6
SHA256c816d2d13cc3a606412145ab3ea96613392b06e89038b6312058d86cd0410f2a
SHA5123a22667e71a430b97f7f07414134af27b74c042b6d00b20d95568fd3b50970ba809b6200f89747364d63d86ab2af360eb0e99de9f986ef7ec38e5fc557ce05b3
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB