urelas | 95126a1672128dad1a603d5ecb315ce86d660d5935e0651773bec7a40d238b01

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe
Size

440KB
MD5

05b66e0338a21adaafe696ea30df8813
SHA1

3d1727a3c91b5390da7316d5ae598be72a0c0687
SHA256

95126a1672128dad1a603d5ecb315ce86d660d5935e0651773bec7a40d238b01
SHA512

92c40dea22407ddc660db1d82ad87bdac2695f315092c67f83cdb9286224ac66d017dca3a11b7d4dec4f5abe8119d04fa27a02798af4c7819eed8585e7ff55c7
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpj2:oMpASIcWYx2U6hAJQnP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	oznur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	godaes.exe

Executes dropped EXE 3 IoCs

pid	Process
2416	oznur.exe
4816	godaes.exe
1700	liwon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liwon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oznur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	godaes.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe
1700	liwon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2416	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	86
PID 1972 wrote to memory of 2416	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	86
PID 1972 wrote to memory of 2416	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	86
PID 1972 wrote to memory of 3200	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	87
PID 1972 wrote to memory of 3200	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	87
PID 1972 wrote to memory of 3200	1972	2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe	87
PID 2416 wrote to memory of 4816	2416	oznur.exe	89
PID 2416 wrote to memory of 4816	2416	oznur.exe	89
PID 2416 wrote to memory of 4816	2416	oznur.exe	89
PID 4816 wrote to memory of 1700	4816	godaes.exe	111
PID 4816 wrote to memory of 1700	4816	godaes.exe	111
PID 4816 wrote to memory of 1700	4816	godaes.exe	111
PID 4816 wrote to memory of 2604	4816	godaes.exe	112
PID 4816 wrote to memory of 2604	4816	godaes.exe	112
PID 4816 wrote to memory of 2604	4816	godaes.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_05b66e0338a21adaafe696ea30df8813_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\oznur.exe
  "C:\Users\Admin\AppData\Local\Temp\oznur.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\godaes.exe
    "C:\Users\Admin\AppData\Local\Temp\godaes.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\liwon.exe
      "C:\Users\Admin\AppData\Local\Temp\liwon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
71a1684ea0661417e6a058914764e90a

SHA1
a629ba492df0293d88b067198706e47d0b8d0f14

SHA256
7f88ad01c05310930fc31b489df0e81e885b9f9e601e05204549bd781b84b6ff

SHA512
69188899a0d927d651d47a914bdf7fb2a19459012ffcfd0f7e0a0262e3ac261e8f584976e9b259c77b8aaa80435ed0466e6afcfb2e5622d644db5b5a4c2e168d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4f5e243db4c3fc2681e18ab14053eac6

SHA1
ffc403dce7f49dcb9c65915a0040e61e4dbba6df

SHA256
c18aa2dfb8a898041bd478dd03939a1371ba4df0346a4cef57b4aea21a2b6583

SHA512
b3c79c88085fe9bd56a662e6e843fc3cfab901d6481a97c5677b9ff8ed2df3d6e5a17adf24ea95b0e902ae5a7904503677ef667af9ad48270c0ee5812cc2d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\godaes.exe

Filesize
441KB

MD5
eaa3a59927df4e5466a2b985fe705098

SHA1
67bfc7712a0d0b05fdcbb707f708c341b0a1c1e0

SHA256
c5ef5f191ecedc0ceae07d7e255bbc467f001605d0b3f3c793635bdeaeed3dde

SHA512
f0d3eb3b9c454eff9fed33633e9d4ab5b2684f5f747081fcb3af0022d70883439dae0d6826c3ee42500da23c381baee5866c9668eb148471acb3f858065eb15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ffb9dbc9e83dee765bb1568be6da2bf

SHA1
c51f5b41098ddfffa37d6dfb285732f53f743361

SHA256
3afc884230f24f8bfe61af3a028cfa9fa4c4777126b916ae0c2797c5ba70896d

SHA512
2e2f005f974e5202f74dea81312b318e6987973e17f5b22929e9dcd6a27552479972f8e3406699ce475ca7d2f059dbd54cabc501087696e0e9de74f3cf5cd270

Download Submit
C:\Users\Admin\AppData\Local\Temp\liwon.exe

Filesize
223KB

MD5
2ce9f2e2f14d3b165b80ba904b63a825

SHA1
9f1643750262c1d3f13a198d4455263cd145b7c5

SHA256
c2b598364e1ca20a9fb09492ec4fdff1a319564d85f245133c7345a5b554cf76

SHA512
6aaecdeef2c99ecf2642570946e0b4495299bdcd5b0f1fcbc62cd66a0dae4e39b4aa83d45e10512813fc274af989220e72c37dbda50f06361e0b229451eb7eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oznur.exe

Filesize
441KB

MD5
4c0aaef81b71da1306b2fc21e6869310

SHA1
c2a600a3ab681d96daa26b3bc9e0f4c0869bc043

SHA256
8bfa4a92568c311abcd9512b64bd42ec51ac43757a52359a189492a62fe5a44d

SHA512
f42ae91508bdec749f9fac9a29151cff04f23458f1756b27f728800500ccbe3dd566353ad95eef3c0f22f9bf49e05cb26299758e8c83ccd2b9107df914e69bc4

Download Submit
memory/1700-46-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1700-45-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1700-44-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1700-43-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1700-42-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1700-38-0x0000000000320000-0x00000000003C0000-memory.dmp

Filesize
640KB

Download
memory/1972-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2416-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2416-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4816-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4816-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download