urelas | b60e72880976381a40581a44490c9f907fb4ef75bc8527a36697f20b6d719164

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Size

461KB
MD5

1f01035c9416593a37ef082c83ee4bbc
SHA1

4066b194b99c52dad1a54367a1b2c7d761e467f3
SHA256

b60e72880976381a40581a44490c9f907fb4ef75bc8527a36697f20b6d719164
SHA512

f48e6c1f50c8118e0c9a5ced92ebcac54baf191554fe325a4bb84b0d898ee478c09c147e1b4fa63831a1608bbcf0acfdffe3a4c09ed2001c139852a4d9668384
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdm7:LMpASIcWYx2U6hAJQnV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dufor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	cynyju.exe

Executes dropped EXE 3 IoCs

pid	Process
224	dufor.exe
4348	cynyju.exe
3436	xomek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dufor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cynyju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xomek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe
3436	xomek.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 224	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	86
PID 2908 wrote to memory of 224	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	86
PID 2908 wrote to memory of 224	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	86
PID 2908 wrote to memory of 2328	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	87
PID 2908 wrote to memory of 2328	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	87
PID 2908 wrote to memory of 2328	2908	2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe	87
PID 224 wrote to memory of 4348	224	dufor.exe	90
PID 224 wrote to memory of 4348	224	dufor.exe	90
PID 224 wrote to memory of 4348	224	dufor.exe	90
PID 4348 wrote to memory of 3436	4348	cynyju.exe	110
PID 4348 wrote to memory of 3436	4348	cynyju.exe	110
PID 4348 wrote to memory of 3436	4348	cynyju.exe	110
PID 4348 wrote to memory of 5832	4348	cynyju.exe	111
PID 4348 wrote to memory of 5832	4348	cynyju.exe	111
PID 4348 wrote to memory of 5832	4348	cynyju.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_1f01035c9416593a37ef082c83ee4bbc_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\dufor.exe
  "C:\Users\Admin\AppData\Local\Temp\dufor.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\cynyju.exe
    "C:\Users\Admin\AppData\Local\Temp\cynyju.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\xomek.exe
      "C:\Users\Admin\AppData\Local\Temp\xomek.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
4f705f9b1a23291fc228783efd55fb5a

SHA1
1e90757da21a19a6d2053a2e52a8e5569d404204

SHA256
fe677c22507f49e20e89bcad8c9232ea95bab9f272690eb14e5f3a66019a18d3

SHA512
440dc36bde4f32ee6cc4eb3d84d832f3986daed4991794c22ea2bfa8b8e0b09b4df7c016d25860217f27a77f5ce97f903b37dcee0705786ead9fa43d97c1ed60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
48366e66c36efcbe08c292ddc7cf5d0b

SHA1
df059db8eee0a758352d2c9c40bf7282369721c5

SHA256
ec3b5aecde03dc11b2137fabe4ac5900f05186284ddc1b236fc3f3d658959738

SHA512
a0367acbc9565ab4741b99a398e8e5f90e74301ce2ecf9369137e098272bbc287b8ea82cd232b056277bada56e5f8bd73a260f2c331a763f40b2774640cee24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cynyju.exe

Filesize
461KB

MD5
6f87bb34972f7ad159b4e730e42ce99b

SHA1
536e5daaf3663f1c26d9f1cac291edc812116ce8

SHA256
ad7a0c315cf2b9c00fa046352c51ba56b8c5945a08fc0458266a9c8eb5eaf05e

SHA512
cccc9319156453c09652bb853ee59fea5963983f6d9a73c04499d5e16b539199fd5bb001908b7c6798aa4100f638ef0aea40bab650d544fd4ee13f6821f25534

Download Submit
C:\Users\Admin\AppData\Local\Temp\dufor.exe

Filesize
461KB

MD5
9da5ec512194a5a0857255d9e9a64c6f

SHA1
6b8c557824d9b053ae0b6786e7d642243bedf545

SHA256
68385e9f722b856819383daae5c6ffe7aedbc5a621ecbdc8f793d9df49320aa8

SHA512
d0aac24562a22150ada5f42f43c14404ef97840cdfe7c0a0b5f7553748b55c965ce3398b0b0a5e9f3f75552077ad2ec0b9a3bad4b966fcfe9dcbd697f23d8b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fae3841fd0b5ba682691ebb795f47419

SHA1
d25847f10258e57955713903cd9cd8c7310a9c3d

SHA256
4e7abc899312701a62cbfa3992b50a9d40dc0fe3baa146409f89251599c9ca8a

SHA512
651b4302a120d9d7e26ccbb2aac8cdcdc3002b2befe45487b27b937c782f45b4cb55ab3560cae2d566ab183f3ed8e1d77f3d9f8bf11f99b62d0b5b73154370bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xomek.exe

Filesize
223KB

MD5
fec3d0270895f1a924a71797da39c0e7

SHA1
30c15289b17084e278db5d27a43c5c1ce99721ee

SHA256
88159df484d7661117bfb9a4c5d4018a9b8dd211446abe22e04847fc617c7062

SHA512
7ccaec1ecd6078f5cd29bd19347c3371c535b42a58a8ed3be1557eb618690cdac55c43d07ce58f59f4a4cd50ac413ffe2cd442567be69f9c2b9647f145aee832

Download Submit
memory/224-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2908-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2908-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3436-43-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/3436-37-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/3436-42-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/3436-44-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/3436-45-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/3436-46-0x0000000000C50000-0x0000000000CF0000-memory.dmp

Filesize
640KB

Download
memory/4348-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4348-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4348-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download