Overview

overview

10

Static

static

10

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 05:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe

  • Size

    461KB

  • MD5

    0958b2bb6a1678f7316b19c706d80325

  • SHA1

    a59ce8ead8e60c1fdd17e401d84c227ad4dec36d

  • SHA256

    80cb2dc2776d228c7d9229c6ac22278bbda0eb57978d164188bf1328ef18c12b

  • SHA512

    1a480c4b637375ea3c112964089253f28a40c1feb47e91163a56bba397dad5639e381fdcdacea6d43e8b210c5c23a5859e276347799b5751ab597caeaae7c296

  • SSDEEP

    6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdm/:LMpASIcWYx2U6hAJQnZ

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\ufyzk.exe
      "C:\Users\Admin\AppData\Local\Temp\ufyzk.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\qyneco.exe
        "C:\Users\Admin\AppData\Local\Temp\qyneco.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Users\Admin\AppData\Local\Temp\noniz.exe
          "C:\Users\Admin\AppData\Local\Temp\noniz.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    d2ea81f30b8e4a3d5055b0d33cc90aa5

    SHA1

    9fccf1a46983dacc6cb1d30bec0df29033c68cfa

    SHA256

    d21f3a78669f476321e1f5cad64189117870a6afa4de2119f2d285d32363fffd

    SHA512

    728a2f891759797f8f35fa7f10f89e36c26eac1c3dce2fe8b886c9cfc801b7206451e694e438cbf197fd5052a7c416674817f32347b83443a452d465cac90c34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    aea0dc4acdf802384e8a96a839de7c00

    SHA1

    c3f94d48d30ab40fc880859c15bcf84ac7fe1044

    SHA256

    2c18cfd48be22b836b6d7312ed7addab8c646cce16d201426f9373b384fcd38a

    SHA512

    d83e5e1e024468f6287e08fa0d8d5cf1723cbe961b34f75114c737bc03f2168dd8ef9bf2ce790d9f4b3c44cc0fe0fddb275b47f6f6273bedb8361b58dec09fc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    2b6a732c4d063774086212991b2b882d

    SHA1

    8d5f61ff356702d95fdffa664318ca9aa324b6cb

    SHA256

    667bb314ff741c11f2baee0f97dbe18f9a1b2edf25a5e6141e8fd8b191e3f153

    SHA512

    8f2c406902163c9df7ccc33b04ba6be1317a5b126692b086d66b4350748e0a7716538610f8fa68550abc16220e93172fd88d9d9a8fb776f04d7cd0a2f674bb6d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\noniz.exe
    Filesize

    223KB

    MD5

    19a19a30f08b2fd72ab9e5b734612e9e

    SHA1

    b3e44c871999957cfd486fd8d02e582c37ec833a

    SHA256

    39fe706d716eea598c11f90288f2815a3feab83de749c1055f4a84fa38faedf6

    SHA512

    ef57f50df1468ca165a44ad090546d09fb2616a6931668af10b7cd2b7f27407e88ad44fd962c74fc601fda55bd283013bdb5778c72e2ee47d01b70eaefb63d72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qyneco.exe
    Filesize

    461KB

    MD5

    8b2d030953820e60770304d340a87b4e

    SHA1

    8a4cc42fcc66d28153273e57faac8e0ca0cdc861

    SHA256

    2c481cf76d9e137a849293586d73be36b87c5e5a833e2d5987d9a61a5faf4da1

    SHA512

    d9533c3a288ab121526ace19f662cb956230a7aa245a7c064ca0bfd2088308efbc6510659d7781e0e9a314b7ccf56a10d10542c458441dd4c6582c29f8eaab35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ufyzk.exe
    Filesize

    461KB

    MD5

    cd94a09e05dcdebf0af613ab6c534a35

    SHA1

    734b35b9457f33da53b7f13ef7d66edc04cdadf9

    SHA256

    8527e508127c824f38e7a8abafb1218d1679981fdbbff9cb8d3701855d26a42c

    SHA512

    c4e58b837d6eae40ea44845c454931ac013ae041aca37792e8b8ecbadc59956eecf3fc41964023fdf5b753534e73df216a65b3220f4706ce113a90f84b0779ca

    Download Submit

  • memory/1000-38-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1000-25-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2136-36-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2136-41-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2136-42-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2136-43-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2136-44-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2136-45-0x0000000000AF0000-0x0000000000B90000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2564-24-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3944-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3944-14-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download