urelas | c311b047eb52e41145898dfee3aa8db359e847d990fd508d31bf482f9385134a

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe
Size

516KB
MD5

8cc1d08d9556927b79414967607b3c25
SHA1

35a4a3bcf960fd04f9f6fa60f129a1924af14057
SHA256

c311b047eb52e41145898dfee3aa8db359e847d990fd508d31bf482f9385134a
SHA512

a6abbbdadd4e95906ffec8f5d4a8cb04d0edf3605a4cec334bcc88c916e62815a2846d5c08edbe8b7cb16e0b2f8a3e9ef1a385c30952066f3953b9cd5dbc8e05
SSDEEP

12288:c2PxDgZo3ijniealtYDG7MzZSHJcvEj8dmoS2uZ:c2SLi7LT7MifjP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	iqihl.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	iqihl.exe
5708	gopuj.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5888-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x000e000000024068-6.dat	upx
behavioral1/memory/2992-13-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/5888-14-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2992-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2992-27-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gopuj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe
5708	gopuj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5888 wrote to memory of 2992	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	91
PID 5888 wrote to memory of 2992	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	91
PID 5888 wrote to memory of 2992	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	91
PID 5888 wrote to memory of 2376	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	92
PID 5888 wrote to memory of 2376	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	92
PID 5888 wrote to memory of 2376	5888	2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe	92
PID 2992 wrote to memory of 5708	2992	iqihl.exe	111
PID 2992 wrote to memory of 5708	2992	iqihl.exe	111
PID 2992 wrote to memory of 5708	2992	iqihl.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_8cc1d08d9556927b79414967607b3c25_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5888
- C:\Users\Admin\AppData\Local\Temp\iqihl.exe
  "C:\Users\Admin\AppData\Local\Temp\iqihl.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\gopuj.exe
    "C:\Users\Admin\AppData\Local\Temp\gopuj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
5a432376b89d548800247773c5dbd0f5

SHA1
3b3555bb9041d2f963d198d63ef48e9158d058d5

SHA256
d34c27cf81fb3937eb5facc88d6e5823b40aa1af70e4b6876b72c0ba89f4ca6f

SHA512
b0158c7615384440f10a81ba6b5274652674af59e0d1085d170a284e9f4a36ae48a825c83a1b485572b7757eac0ff407bcf5e214ec4ec984829dee5a453dbf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7a900f0fa72f5afe9faaede6dd72dac6

SHA1
d0f4bc11f872d964aa1cedd5bf37641fcf699b8f

SHA256
ed3a906e15f0ef7af29666e4452eb9df2601cbc24411f2eabea8ab28e70fa023

SHA512
331abb9b38781637baa5114fa4251ce6c93ab70f704db74b525afe157a2a8fd16c2771feefc3a49b55547ca560a639249993f1536db517fbe1bfe5f5a18f8632

Download Submit
C:\Users\Admin\AppData\Local\Temp\gopuj.exe

Filesize
230KB

MD5
3026646ef53e28ceb7fbaa571363d017

SHA1
4330e57c6996bbc0f6cb8a37a29a53ab1570962c

SHA256
5e8f0ac8f0b95d1965cbe24ec9d7dc6063dbe17f917ecc24842d7988bf86e37a

SHA512
5b90a5d27404dc1ec28770374d267a08f45039473cabbcd27a97193d61f6165a581e5dd7cbf10b0b073eac4a969e7979b2d87d5f9f3261813c0c06fef9a1948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqihl.exe

Filesize
516KB

MD5
483302531f72f9e46da77e901046a41a

SHA1
260d76e7d9c7f48f167972f9fefe6bb2d0516c89

SHA256
02a584ca82f834fd8ce671003fbf995b5a4608d462ac0a7cddd5b0ef2eb8b2a9

SHA512
cbed6735ca95a8f0ba5f1b7798f9c0ec937b86f13694d9518d52df277b8e65a78d29b8e7154beae165de98e9a11c961e7b43a750ed584e86bcdcf87423ed20ef

Download Submit
memory/2992-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2992-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2992-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5708-25-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5708-28-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/5708-30-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5708-31-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5708-32-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5708-33-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5708-34-0x0000000000670000-0x0000000000723000-memory.dmp

Filesize
716KB

Download
memory/5888-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5888-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download