urelas | a78d8d25db8bcadb54f4d251bd121d66c16e90847c9314ffc9cdfb95337b3308

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Size

480KB
MD5

c7ff8e6487123fbb371b360f82d7415f
SHA1

dd4da90cdd7a667ccff3d3396b9b41f2c805b733
SHA256

a78d8d25db8bcadb54f4d251bd121d66c16e90847c9314ffc9cdfb95337b3308
SHA512

09002f2c8d8032d7cef6dfbc3fb006f91e0de71a14313c1b7c1067731be850105cb72533c028ad8c0cb222cf5d75314c871d55432713ad1c31a960740305565f
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVOf:TQRI/3w36EnCYcFE/iydJai/WZtc

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	gioze.exe

Executes dropped EXE 2 IoCs

pid	Process
5840	gioze.exe
2040	tupob.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000022997-20.dat	upx
behavioral1/memory/2040-23-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2040-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gioze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tupob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe
2040	tupob.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5668 wrote to memory of 5840	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 5668 wrote to memory of 5840	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 5668 wrote to memory of 5840	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 5668 wrote to memory of 4480	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 5668 wrote to memory of 4480	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 5668 wrote to memory of 4480	5668	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 5840 wrote to memory of 2040	5840	gioze.exe	111
PID 5840 wrote to memory of 2040	5840	gioze.exe	111
PID 5840 wrote to memory of 2040	5840	gioze.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5668
- C:\Users\Admin\AppData\Local\Temp\gioze.exe
  "C:\Users\Admin\AppData\Local\Temp\gioze.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\tupob.exe
    "C:\Users\Admin\AppData\Local\Temp\tupob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
c4b345ed1b27cdeabeb149158895dfb8

SHA1
8e99acfc007960f55ffc306b0552bef11530c15e

SHA256
0e49545915cce49a3ee82504072a7266fd2ce81bf617f8779841bf64393e28ac

SHA512
b6bdc6625d10bce7d9287fc2f3fe7e3256f18d331e0c65343164d352df2080bbb0fd9540e6a6eebfa477f05f1e7d98ab852f88a26a28ec8a10dce0270c873717

Download Submit
C:\Users\Admin\AppData\Local\Temp\gioze.exe

Filesize
480KB

MD5
591b7ad3fb158838b68f6b1d624228ad

SHA1
928b597a5559198e1b0fa9710c26db71aaa1d0e6

SHA256
3e14290a912100994551b703ec2904f677c27257bdbb8866963448e3d4f35d68

SHA512
6e4fd26a90b04602ac3a70865393fc6808d534ac6e94325c519b894a57cf84c29090b84862104c7405edb3c20d6882f3e382055dc4fbcf9a2b4d769ec7640c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6849f55f408e386efa76516dcb1a4262

SHA1
094c81c410fe7f3d1702a48e89a030dc49d3e47d

SHA256
60188287fa9a12cb5f633d60827860111a84c04176520adf6ebb7a1bae49773d

SHA512
166ac972540a27ed1f98e3f534894e9f6e5bc5c25fb91ec0c2a93d3f6af0ff1d1c3d80c1d5a98b2ed7ebbf892f5da9978d3d69959ac9437d8c601dce7f888c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tupob.exe

Filesize
209KB

MD5
1f6f2d779de5be741e7f708a7504b0f5

SHA1
938ec87dac48bf0c99f10da42802824740259982

SHA256
549f1105497dc187a0b06ff2b517157956b0f218675e68e9bdfd57a40033c6ca

SHA512
70223e435e0895c3c9aef72efbc4d4ce4bad444acf7da769d2719ddb6dd8ee608e966311e349b8ea333a247d4f55c87887221b208857ef0036e44f97b2568098

Download Submit
memory/2040-23-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5668-0-0x00000000007C0000-0x000000000083F000-memory.dmp

Filesize
508KB

Download
memory/5840-12-0x0000000000DA0000-0x0000000000E1F000-memory.dmp

Filesize
508KB

Download