urelas | a78d8d25db8bcadb54f4d251bd121d66c16e90847c9314ffc9cdfb95337b3308

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Size

480KB
MD5

c7ff8e6487123fbb371b360f82d7415f
SHA1

dd4da90cdd7a667ccff3d3396b9b41f2c805b733
SHA256

a78d8d25db8bcadb54f4d251bd121d66c16e90847c9314ffc9cdfb95337b3308
SHA512

09002f2c8d8032d7cef6dfbc3fb006f91e0de71a14313c1b7c1067731be850105cb72533c028ad8c0cb222cf5d75314c871d55432713ad1c31a960740305565f
SSDEEP

6144:wqXAoQT5Tr9R0HN/3w36EnCYLTcz6MY5NYnE/QhyjxJBErrZAWkPW5oeNtLjpVOf:TQRI/3w36EnCYcFE/iydJai/WZtc

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	tolyw.exe

Executes dropped EXE 2 IoCs

pid	Process
4520	tolyw.exe
5912	fusow.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000024074-20.dat	upx
behavioral1/memory/5912-23-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-27-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/5912-31-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tolyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusow.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe
5912	fusow.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4520	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 4324 wrote to memory of 4520	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 4324 wrote to memory of 4520	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	91
PID 4324 wrote to memory of 5220	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 4324 wrote to memory of 5220	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 4324 wrote to memory of 5220	4324	2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe	92
PID 4520 wrote to memory of 5912	4520	tolyw.exe	109
PID 4520 wrote to memory of 5912	4520	tolyw.exe	109
PID 4520 wrote to memory of 5912	4520	tolyw.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_c7ff8e6487123fbb371b360f82d7415f_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\tolyw.exe
  "C:\Users\Admin\AppData\Local\Temp\tolyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\fusow.exe
    "C:\Users\Admin\AppData\Local\Temp\fusow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
c4b345ed1b27cdeabeb149158895dfb8

SHA1
8e99acfc007960f55ffc306b0552bef11530c15e

SHA256
0e49545915cce49a3ee82504072a7266fd2ce81bf617f8779841bf64393e28ac

SHA512
b6bdc6625d10bce7d9287fc2f3fe7e3256f18d331e0c65343164d352df2080bbb0fd9540e6a6eebfa477f05f1e7d98ab852f88a26a28ec8a10dce0270c873717

Download Submit
C:\Users\Admin\AppData\Local\Temp\fusow.exe

Filesize
209KB

MD5
2e2ce98c23862424a3505419cd7fabf1

SHA1
4abe7c3fee5335ab2a13dc8949f8eedea3df88da

SHA256
42ad47107ee83b97981a07498bfe1552e395bedbe60f5a542d719c37593f52a5

SHA512
cd675856172f0cfba72a4ddf7928c91b102caa281f1bf1cea607126c25145922ae618f27108a7096267da127010634d4beff87243f22ed6c7d51e426263f770a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
956b8f7150580aa3aa81a6b9f985002a

SHA1
32f1133b87c9d2b74da6764d14774a23f46577e2

SHA256
ea351ff0f870e1ddfa7f15d9ba573ded98bf6f7a2865eafd17d1a216bf10027b

SHA512
bf871ad8af29c13baa270be651ae4761fe1f9c02b5ce2a99cc05d16076a0d195a09a24d07ca52f26d2768786d450a9045b5403572712493462dd669cdacc8284

Download Submit
C:\Users\Admin\AppData\Local\Temp\tolyw.exe

Filesize
480KB

MD5
654204fe82ded6ebbc33d83ceb3b230c

SHA1
6ca4a65c8dec7eb880c654e96e334ab4bdcbbd58

SHA256
15ed409b0815f2eeaaacd1dae3bd1470d86df1e89ebaf6fe04060ac285e47863

SHA512
d263461d60ce6e48625ee64633f1ecc84b870b0e14d9982d6d00d539cec4b6d050d3791ce139c031098d0fdce772d9d4e4035ca4970e30b1a2ceef9bdd4ee1b3

Download Submit
memory/4324-0-0x0000000000CC0000-0x0000000000D3F000-memory.dmp

Filesize
508KB

Download
memory/4520-13-0x0000000000F60000-0x0000000000FDF000-memory.dmp

Filesize
508KB

Download
memory/5912-23-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-27-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5912-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download