urelas | 7427a399fa439c45ddfd99875c31c814f180840c62ab5cf6d1985f0af91cc0b4

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe
Size

440KB
MD5

77394804b0f67cc3d22d4211ed753cec
SHA1

081176b33409e53f0440bb678525ae72dfa5396e
SHA256

7427a399fa439c45ddfd99875c31c814f180840c62ab5cf6d1985f0af91cc0b4
SHA512

350aa49f5255abb3369ecf1a89709c53151a311237b6d3a8d3677085dab41ffa437d51b6791854bc88353c3a61bd3a81d3ef4dd56bd77df86bb9b76e904263a5
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpj1:oMpASIcWYx2U6hAJQny

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	vuefr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	xupivo.exe

Executes dropped EXE 3 IoCs

pid	Process
4372	vuefr.exe
392	xupivo.exe
3928	ufmyw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuefr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xupivo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufmyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe
3928	ufmyw.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5132 wrote to memory of 4372	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	86
PID 5132 wrote to memory of 4372	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	86
PID 5132 wrote to memory of 4372	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	86
PID 5132 wrote to memory of 3468	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	87
PID 5132 wrote to memory of 3468	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	87
PID 5132 wrote to memory of 3468	5132	2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe	87
PID 4372 wrote to memory of 392	4372	vuefr.exe	89
PID 4372 wrote to memory of 392	4372	vuefr.exe	89
PID 4372 wrote to memory of 392	4372	vuefr.exe	89
PID 392 wrote to memory of 3928	392	xupivo.exe	116
PID 392 wrote to memory of 3928	392	xupivo.exe	116
PID 392 wrote to memory of 3928	392	xupivo.exe	116
PID 392 wrote to memory of 2852	392	xupivo.exe	117
PID 392 wrote to memory of 2852	392	xupivo.exe	117
PID 392 wrote to memory of 2852	392	xupivo.exe	117

C:\Users\Admin\AppData\Local\Temp\2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_77394804b0f67cc3d22d4211ed753cec_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5132
- C:\Users\Admin\AppData\Local\Temp\vuefr.exe
  "C:\Users\Admin\AppData\Local\Temp\vuefr.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\xupivo.exe
    "C:\Users\Admin\AppData\Local\Temp\xupivo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Users\Admin\AppData\Local\Temp\ufmyw.exe
      "C:\Users\Admin\AppData\Local\Temp\ufmyw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
5313136b9481cbe2ac1efd1d5a101c92

SHA1
0b268442e5d8406802bdfc0d167f415140107c25

SHA256
03e5bf46ca3f2c4ebc0ed9640318a2bb08891eeac58c51d8c3c8568ed4a5cadd

SHA512
92454f728a1a15a1695242ec852030baa496e68244c32db8ee0204617fbb9250adb43157460406719cd2a57acedba16371607c22a701ddf54c45bf7c5ba0d700

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
546aefa9be274691e611c90be110e0aa

SHA1
35a6a20b27326d218ea3f62935e2d89b28fcbc88

SHA256
38094ac596255370cee4354a68e6ac459f210b53034a739e0b841dbd36f53027

SHA512
7a93ed87b1690533c569108ebdd36b45a7cb33d79fe78c00c735b871ecd5356c445bf5f1c72c68a1d8b1cf0258574341f1a5d8abcf675d43847f0c0c473c5ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6025ae413d3e23ec83aa8b5eb284f7fe

SHA1
41bb3648e5bb9f1a1150e6a91fa5a2518905a602

SHA256
d30414274b8f966f967b2eafe8d49bbd5f169f6c9e1031ddb919df46909ab674

SHA512
8106d721f6e79fd1f8eb933cfcd57fd27f3cf92cb6399db9540ad6d4f129f7f1174e2732365f1227fca5a7c3e75791bf20f067e6cb5f213e5c347bbcfa15ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufmyw.exe

Filesize
223KB

MD5
3d87bbf35a3793a32422e86c0533d6ec

SHA1
ec3b0b1a1eb7f0dc19d984c691aaefcbdca1c731

SHA256
1286eb0d052c3a54fe5451b40fb65ea467b8ac25be6afcbcd056350b624889ce

SHA512
50ffb58df1a8ebc798be7a515edf0425f088d333f34b6ff17010cd77524db8c5f43f65f3e7e08a0213a1211723b282fcf5c42c5eba9fee6f48994ee7f698d8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuefr.exe

Filesize
440KB

MD5
0d999ca67728999b3f3461aa4f3aa64a

SHA1
57a98da4f320c7dd78102f87d1c64a06cdf3c284

SHA256
803e86601fab8f527ee0bd17f22051d4e5cc9dacd287bc48fde798c751d26a82

SHA512
7c0bb35ea00135ab390d9e8f99bbda4a91c5abca3025f5ea9c778a91839dba4e77b4c03a442460ed2e3bb184363abeb594a2aed52edc9c6580b89b00cf5eb6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xupivo.exe

Filesize
441KB

MD5
701305878aeffebc42e1d57f5c05244c

SHA1
86d07732d424c5668904dbb6a4dc04dab2cc4fba

SHA256
da726b036836cc0aa513e29235a7afe029f8508c22b2e4c25c18cc0929333b83

SHA512
a3951908f76e0fa7ca02e26177a003a5b3cb4d514e016f750367121ec358eed48eeef2240884548753b740c5b77c78d7569873b010a17347d0552071f0d95bbb

Download Submit
memory/392-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/392-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3928-36-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/3928-41-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/3928-42-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/3928-43-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/3928-44-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/3928-45-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/4372-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5132-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5132-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download