Overview

overview

10

Static

static

10

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_1c8db64c5096333fd8611b61772af10b_amadey_rhadamanthys_smoke-loader.exe

  • Size

    440KB

  • MD5

    1c8db64c5096333fd8611b61772af10b

  • SHA1

    3626d7e04e9a22eb2f6777c6dde26e87bb1e694d

  • SHA256

    def73dae6c799c93024d3379b1c3e13c9dae016c11727b7b5429db8835a2f2d6

  • SHA512

    2a5c9b840a04ba440d62376b5f83a3a829780013a3e05fd18b561782b975cee81ace9cdbd98bc51a44f7be2910602dbbd754fb53e4f3e6b36d69a8c04971e344

  • SSDEEP

    6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjk:oMpASIcWYx2U6hAJQnP

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_1c8db64c5096333fd8611b61772af10b_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_1c8db64c5096333fd8611b61772af10b_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\nopuo.exe
      "C:\Users\Admin\AppData\Local\Temp\nopuo.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Users\Admin\AppData\Local\Temp\ogtoad.exe
        "C:\Users\Admin\AppData\Local\Temp\ogtoad.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Users\Admin\AppData\Local\Temp\ubyxf.exe
          "C:\Users\Admin\AppData\Local\Temp\ubyxf.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3240
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    23a456b1c04014150056af02ecf3f27e

    SHA1

    7f5fc32628fb217df7a68841778f9f0ff78cf2d6

    SHA256

    88a0874ba9e63849c036209e734f47a445b6f93cadd68891bcf9578416164e44

    SHA512

    24ebc897fce5d51ded80e7ac0decb484bdc26127f2309c6bfa59d4ecd11a201228796de85b1d20f03ff40b6179f71ee3db0be6a8c146b8a08132d4346e720f5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    f77fbacb034d93b4a66410bc285030d7

    SHA1

    31d16478d19382d0cefe0eb33ac17ae4361ac8fe

    SHA256

    95a4090bc7f9d14c507dfb6f5532750709c86ce441bdafa28f66f663d1dc0e9e

    SHA512

    0695889683229ef4478964b7b201a76e3939c4b78778021c6baff200ca211fa045e3f58d5487a2e0f23db958f31498ae27bdb72896f57299e69eef9aa893e814

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    378f5a1b2bce843d9da03feac75548ba

    SHA1

    c68a4a45302a4fe5194503fdebfda62eead6e7a6

    SHA256

    e0f531aa89791bfeedd8472b81ee4d5f90eddefbe41b472e280c52fef932728d

    SHA512

    0cadbeba471d1d97ab9694391082cc52200036940cd070638d3605e640e351af7b8708fcf78db603923d084bb19e358fa9262752e7873e57ba583d5496cf0531

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nopuo.exe
    Filesize

    441KB

    MD5

    37cbab08abd6c230b8b13943c1c277d7

    SHA1

    b7be0b44fb64549acf06ef0a9e0334d1f4957381

    SHA256

    c8172ccbba49e8d60ade217850f2ee9d7af6e2a0f42856d508fa4134a4816ae9

    SHA512

    597abb356ebaff3a88fdd26da4a4734f2f4a598c8f5acd47f700de8d41eb9486eb5720d36ed52fbf357825546b6c3aba1901a8809fef5b019bba4e4ab4b11169

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ogtoad.exe
    Filesize

    441KB

    MD5

    93867f3a5d9d996c009f3f6bf9c2643f

    SHA1

    462e3d9401b079bc693d707c1b210d23df2bbfa2

    SHA256

    dc49bc94cd8c4295456f1395ebfd79c5f774e2f781ef8343bc98e3124aa9676b

    SHA512

    b7c98ae66bc86d959384c325935bef5a59abf8caa6ca0e5f43a7d098808d97be50dc46532119c5a2b346aee25bb495fd81cb32eca5674bf239e7200cc0627fb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ubyxf.exe
    Filesize

    223KB

    MD5

    0e9f07fc4c1d2c2be8e95ebb0c2e972e

    SHA1

    a0380e5170a8eedb1b2be04af20709f4615c27e0

    SHA256

    cff2fdbfcbbd2144e50d201892bc027d25c8af8de4daa9d99e72f686207550d2

    SHA512

    b5c524f31cff5cfb7cac615ca958f2b300e040dd652ec4e994d21d350db92079524d62b33b3a4b73c8b246eee3fe925dca1e519dc71b0d182aa346db84b1ba5d

    Download Submit

  • memory/2648-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2648-14-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3308-25-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3308-38-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3660-24-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/5428-35-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5428-41-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5428-42-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5428-43-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5428-44-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5428-45-0x0000000000FF0000-0x0000000001090000-memory.dmp

    Filesize

    640KB

    Download