urelas | 77a725ed3c4a5f8e7d4c307b393961adf63dae6b5c7994d1fa5c8d7853256e09

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe
Size

464KB
MD5

0d79e1b3fcdef8a4c689bca5c5766763
SHA1

3c9637dbccaba724c68d6e259b2f7d14b2b111b9
SHA256

77a725ed3c4a5f8e7d4c307b393961adf63dae6b5c7994d1fa5c8d7853256e09
SHA512

9258cc5e5456147b275334e0bfd083a13d4bd0663eda72bbd8cd8b8168d78bd2bf9a3ccb729a2cbd9c8c3fd9cb10b731dd0e58c2c676ba1d39a760bd61c566b8
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UG:Y6tQCG0UUPzEkTn4AC1+N

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	colez.exe

Executes dropped EXE 2 IoCs

pid	Process
704	colez.exe
3812	jopya.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f000000023f15-22.dat	upx
behavioral1/memory/3812-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/3812-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jopya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe
3812	jopya.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 704	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	93
PID 3304 wrote to memory of 704	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	93
PID 3304 wrote to memory of 704	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	93
PID 3304 wrote to memory of 3472	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	94
PID 3304 wrote to memory of 3472	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	94
PID 3304 wrote to memory of 3472	3304	2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe	94
PID 704 wrote to memory of 3812	704	colez.exe	113
PID 704 wrote to memory of 3812	704	colez.exe	113
PID 704 wrote to memory of 3812	704	colez.exe	113

C:\Users\Admin\AppData\Local\Temp\2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_0d79e1b3fcdef8a4c689bca5c5766763_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\colez.exe
  "C:\Users\Admin\AppData\Local\Temp\colez.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\jopya.exe
    "C:\Users\Admin\AppData\Local\Temp\jopya.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
338B

MD5
efa3e40a914ddef423446005925804db

SHA1
119867bfbbd50e97092e882b4834a59c99755324

SHA256
6831b37ea8e5540d075a3501b7526eaac4448228f875524c36c7b7b9d821b521

SHA512
2b1b7d615746989fc013c48b064039d32ae34113d00650edb895fb2180083306870fdb5869fd95be024e499c440164db31aff615ea073edc753ee8fe53d6b60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\colez.exe

Filesize
464KB

MD5
b9ff84c4c16d611701a88b33f2b60fc1

SHA1
23b0aa9b374464edf2f04612aa07815073b33181

SHA256
15d25fe523613d1aadfe88c6a24566ce0944c9c78307d4b258862018a546dfc7

SHA512
eaba8d6d5e42e6ea3265ecd99c866ac0870956e017eacc16483cf2361926debcc0d824f910609f9137119fefd58b22e3ff3dfa1bb11da6a6c04438028b170086

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
65991c886b495963a3f4de3f2cf1d8b1

SHA1
dbf03cb278c915ba35e44b8620777e13bc8208e6

SHA256
addedd65a9ba4c0ee5056705e804aff2165f0e07e2613022fbe6feb533fed462

SHA512
d753914c768ea4ff0c3da8f4f8870e9e9dd1cbb091f87ddcf9afabceef8232565666edfe70bb77ad48efd77ea6c0949c3b9854a9916b317f064567faa4edb3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jopya.exe

Filesize
198KB

MD5
b7e47d0bbd8dbc4d4b498807434ac635

SHA1
9427c9b1a2df1f1dee46c8b44fd40cd7a7542adb

SHA256
c9b699219d4d887411f396b93dcbf1bf2e44af22b50236b29cee3fceca1f1699

SHA512
6237af603af6d319c6cbe8220e2c26a89f09c4277fface6836a3c213228da105f6671e2a0ad7412500e9e32a69a4883a705e068dbb48662f9e6471fa6a781f12

Download Submit
memory/704-27-0x00000000005F0000-0x000000000066C000-memory.dmp

Filesize
496KB

Download
memory/704-17-0x00000000005F0000-0x000000000066C000-memory.dmp

Filesize
496KB

Download
memory/704-10-0x00000000005F0000-0x000000000066C000-memory.dmp

Filesize
496KB

Download
memory/3304-14-0x00000000008D0000-0x000000000094C000-memory.dmp

Filesize
496KB

Download
memory/3304-0-0x00000000008D0000-0x000000000094C000-memory.dmp

Filesize
496KB

Download
memory/3812-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3812-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download