urelas | 80cb2dc2776d228c7d9229c6ac22278bbda0eb57978d164188bf1328ef18c12b

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe
Size

461KB
MD5

0958b2bb6a1678f7316b19c706d80325
SHA1

a59ce8ead8e60c1fdd17e401d84c227ad4dec36d
SHA256

80cb2dc2776d228c7d9229c6ac22278bbda0eb57978d164188bf1328ef18c12b
SHA512

1a480c4b637375ea3c112964089253f28a40c1feb47e91163a56bba397dad5639e381fdcdacea6d43e8b210c5c23a5859e276347799b5751ab597caeaae7c296
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdm/:LMpASIcWYx2U6hAJQnZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	puyxzo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fyvyg.exe

Executes dropped EXE 3 IoCs

pid	Process
820	fyvyg.exe
4788	puyxzo.exe
1768	qocon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fyvyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puyxzo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qocon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe
1768	qocon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 820	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	88
PID 1944 wrote to memory of 820	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	88
PID 1944 wrote to memory of 820	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	88
PID 1944 wrote to memory of 3720	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	89
PID 1944 wrote to memory of 3720	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	89
PID 1944 wrote to memory of 3720	1944	2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe	89
PID 820 wrote to memory of 4788	820	fyvyg.exe	91
PID 820 wrote to memory of 4788	820	fyvyg.exe	91
PID 820 wrote to memory of 4788	820	fyvyg.exe	91
PID 4788 wrote to memory of 1768	4788	puyxzo.exe	111
PID 4788 wrote to memory of 1768	4788	puyxzo.exe	111
PID 4788 wrote to memory of 1768	4788	puyxzo.exe	111
PID 4788 wrote to memory of 4976	4788	puyxzo.exe	112
PID 4788 wrote to memory of 4976	4788	puyxzo.exe	112
PID 4788 wrote to memory of 4976	4788	puyxzo.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_0958b2bb6a1678f7316b19c706d80325_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\fyvyg.exe
  "C:\Users\Admin\AppData\Local\Temp\fyvyg.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\puyxzo.exe
    "C:\Users\Admin\AppData\Local\Temp\puyxzo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\qocon.exe
      "C:\Users\Admin\AppData\Local\Temp\qocon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3ba0880b26b2fe45c012bb73f2bfc35e

SHA1
917a5497908182ca74c39b946302049bce1cc7d3

SHA256
40390678500ce73fc82cecf09fea0e7167b1c4278036e24efb5682cf9c0ed70e

SHA512
6d7654adbecb856349576322e165799ea7b1326817cc62f4c6286b8dda1dfe482bb2af409063fc872a68727f52782b297c71a2dad66c93a3e74077f3de770d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
d2ea81f30b8e4a3d5055b0d33cc90aa5

SHA1
9fccf1a46983dacc6cb1d30bec0df29033c68cfa

SHA256
d21f3a78669f476321e1f5cad64189117870a6afa4de2119f2d285d32363fffd

SHA512
728a2f891759797f8f35fa7f10f89e36c26eac1c3dce2fe8b886c9cfc801b7206451e694e438cbf197fd5052a7c416674817f32347b83443a452d465cac90c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyvyg.exe

Filesize
461KB

MD5
8d427cd8b4d88cf9a08365f571b00ee6

SHA1
eb9888642ecbd75d3ca31b250025ede4f973478c

SHA256
18373c121a3068a07971c632caa86bff2df2cace004196d02fad5bf364fa10bd

SHA512
a82d723d626191196854b6f9eebb06298f5d5aa8b5ca62099b768697152d73283d1690c1fddc124d672fca64ee592266ce45dca6883d4e7c4d1d2ebff01526aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d9e70fc7432cbf432a13c5e9583195be

SHA1
5ae2298068f225388dfdd1033914dfd06eceaaeb

SHA256
5710d182f07695a5de8189c9f2c5934863a89830b6c1537fcbedea893fffad08

SHA512
9a6f3aaac68bf12ef8021cf0ef8079e8e95217279099de61c7fc29669637208ebb7d21c052a3700b66f89eca93b49378782dbaf4e4a6705d1757718be1906c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\puyxzo.exe

Filesize
461KB

MD5
91a018cc6aa701f0e8992eddc1b28f36

SHA1
3d5d41745462e5d0f2e7b4d0bc96a1b07ea3e7f3

SHA256
1cfad0b022c07f7bb274b0f2fad0d64d983d5611f9771346c69476527b73fd5a

SHA512
667069db47ef2612fa334fc24387cf3b6e272aab75cf64c01ceaa2a149a705afb5855204063343c930fe594479cd1a2c4b29a743d426786369288eead6024665

Download Submit
C:\Users\Admin\AppData\Local\Temp\qocon.exe

Filesize
223KB

MD5
05827e825baafeb6fc6c597237c66c6e

SHA1
cd82baa6b836a8d6d629a655b64897736d69e916

SHA256
2a4f8c6b669f1b54c12fa9e7e6528d8803c398f4cbe490260172c32d124e3a89

SHA512
08460561377132dbb4b69efe456174b7a20341667a8b48d2c26f238f52d03f0be173fb87ee5802fe7297b12b78f52cd9f9f557acc52db3d965b66c341eacbfe5

Download Submit
memory/820-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1768-37-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1768-41-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1768-42-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1768-43-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1768-44-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1768-45-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/1944-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1944-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4788-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4788-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download