urelas | c17f935c7a26f36ed26ffe807033054469869841ce7ca49ff08104f7f6f7cce3

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe
Size

790KB
MD5

40c30e9a08fa24da8610a9def50e51bd
SHA1

afbcb07801aca53750b920e191a5a910fa76de0f
SHA256

c17f935c7a26f36ed26ffe807033054469869841ce7ca49ff08104f7f6f7cce3
SHA512

6b2e8530a90fab68e2b7fe9796c7518409841c16a2ca84179124542ca6178174ab716099cb0916d5b14a05d523fea13b18e8516ad6cb4f2a62cefc3fc9d63720
SSDEEP

12288:dccNvdRExZGe+Q1nzPAlDqfJZTvfTRTWkI42gqmoWkI094og2GXfJKnbkS3LdAPp:dnPfQpzyD8ZTn8kZ2gqAkI094vOkSCLl

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	qujok.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	qujok.exe
3524	jupax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jupax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qujok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe
3524	jupax.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 4832	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	89
PID 464 wrote to memory of 4832	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	89
PID 464 wrote to memory of 4832	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	89
PID 464 wrote to memory of 5568	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	90
PID 464 wrote to memory of 5568	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	90
PID 464 wrote to memory of 5568	464	2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe	90
PID 4832 wrote to memory of 3524	4832	qujok.exe	109
PID 4832 wrote to memory of 3524	4832	qujok.exe	109
PID 4832 wrote to memory of 3524	4832	qujok.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\qujok.exe
  "C:\Users\Admin\AppData\Local\Temp\qujok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\jupax.exe
    "C:\Users\Admin\AppData\Local\Temp\jupax.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
0cf027b9a03632b1e50dbfd98d515df4

SHA1
32bc30e54d058cce0bdf90852f61bc43c2016726

SHA256
9386e1702b8ae9fa3caf5e0057aa3dcac8111bf66cccc46b84ce2c8df9bd40fa

SHA512
9eaf4ffe934b6b2ad9a44fbb69c9fc89bccee11e09883fdf3371dfce3cc811b0e5617d9444ac1fccdb9d171e695db9c2020ab3f66aed5a24659ec5d079b6a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2847d490dfbda0e1a615f1e2afc8232d

SHA1
4c6171e2e2a86222835d193e723a14a20f3d6f1a

SHA256
dc5cc01baae157cf11b135ccbfbe7198c55c3cfdfb0f50f642802d996ed98cf4

SHA512
9ded2f0af4ea7ebc0cdc1b075e8e73ecb67050c93e5097e4750f58e88c5b4fd977353e83fa6ef7aa18a7aec41c4caff884f7ce6c7a32b56fcde7dcb4a3d2cba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jupax.exe

Filesize
176KB

MD5
82886818df500eae4c5d2e44797aa3c2

SHA1
87fd98ea6a8af929c53504eb1340517fb8e34283

SHA256
38082c0eb0eb51877d5ee80b4615b978e1c3a9219946d66f4a9c7c89880e6467

SHA512
b79de34993341614db0db6a18baab4520c29aab0bdbe0a2896e44b971ee939fe1f337911c5451c3496499c1d206fc82db71e52351fbb6f5983a5f06467c557b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qujok.exe

Filesize
790KB

MD5
08b14c461aa01936cd5b805ca9abdba0

SHA1
3bf10d04e973a3d9042c4dafcaf5f0cd5bb69b6c

SHA256
c926a57d9978c32a25ff2dae8083b23822ebd464ed15ae6cb0bf53d7c2bf9842

SHA512
42bc35c89fbb5fe09b8b12a865751d52729fcddaf9cd0a297735048f876a7d4c61770a00f58bde639bf1fadf47049a3142c7d966c451c4637a4d69113daadca1

Download Submit
memory/464-0-0x0000000000380000-0x000000000044C000-memory.dmp

Filesize
816KB

Download
memory/464-14-0x0000000000380000-0x000000000044C000-memory.dmp

Filesize
816KB

Download
memory/3524-27-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/3524-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3524-31-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/3524-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3524-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3524-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3524-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3524-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4832-17-0x0000000000720000-0x00000000007EC000-memory.dmp

Filesize
816KB

Download
memory/4832-10-0x0000000000720000-0x00000000007EC000-memory.dmp

Filesize
816KB

Download
memory/4832-28-0x0000000000720000-0x00000000007EC000-memory.dmp

Filesize
816KB

Download