Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
04/04/2025, 05:06
General
-
Target
2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe
-
Size
790KB
-
MD5
40c30e9a08fa24da8610a9def50e51bd
-
SHA1
afbcb07801aca53750b920e191a5a910fa76de0f
-
SHA256
c17f935c7a26f36ed26ffe807033054469869841ce7ca49ff08104f7f6f7cce3
-
SHA512
6b2e8530a90fab68e2b7fe9796c7518409841c16a2ca84179124542ca6178174ab716099cb0916d5b14a05d523fea13b18e8516ad6cb4f2a62cefc3fc9d63720
-
SSDEEP
12288:dccNvdRExZGe+Q1nzPAlDqfJZTvfTRTWkI42gqmoWkI094og2GXfJKnbkS3LdAPp:dnPfQpzyD8ZTn8kZ2gqAkI094vOkSCLl
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-04_40c30e9a08fa24da8610a9def50e51bd_amadey_smoke-loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ijmud.exe"C:\Users\Admin\AppData\Local\Temp\ijmud.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\omnal.exe"C:\Users\Admin\AppData\Local\Temp\omnal.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338B
MD50cf027b9a03632b1e50dbfd98d515df4
SHA132bc30e54d058cce0bdf90852f61bc43c2016726
SHA2569386e1702b8ae9fa3caf5e0057aa3dcac8111bf66cccc46b84ce2c8df9bd40fa
SHA5129eaf4ffe934b6b2ad9a44fbb69c9fc89bccee11e09883fdf3371dfce3cc811b0e5617d9444ac1fccdb9d171e695db9c2020ab3f66aed5a24659ec5d079b6a552
-
Filesize
512B
MD5a22f6293d6d42fce0fe108f54b807eb1
SHA1f692cb0f7b8c35a27792da5b2b918cc53faabe4d
SHA256fc0438e07a1f7b3d57e66791c289720c83ef2cb0a0de85e018e9962624a985ec
SHA5127a092dca35f27e283e3a5caf47e041fb1081e71efc32217565ccf383e83ac562b7ccbb2dc8aa6f0446e886a64412f62cfce2ae6fbe2c170756def76099a41321
-
Filesize
790KB
MD547a3f20dc0b2d7a038965eb6bb3c0c08
SHA14c6c0e690a5ba2d735603fdf5f3edcc2decadce1
SHA256c7f67ddf31ca6cb6552f33d9ac76035fda65d5a33d26490136d569105df1b7d8
SHA512b677323777be16f5e75ec39ec2b6ddd4ab1fa7af4fe59445cb9047ac30d1812f8b6a1bf0e8da328e8c859a1648be28d3ac62622d4e1124cfe91486caf1e7f7f0
-
Filesize
176KB
MD598e7e11bfb0501e0b42fa6e57f7f3a1b
SHA1f27f79bcfca934b2c23f88a652847ce5faaa8d4c
SHA256b323308034c869d794bb2eb6104134f137210a8eb3389d4a12458c20be32a779
SHA512b6fc5c1d2152c39f0d386b12d4533dd3f4f632d270f0dae54e2e0bbbb0567cad9a8348612a7813bb7c71941fe9b060ff08591643b3958897256f81909d479ce8
-
Filesize
576KB
-
Filesize
8KB
-
Filesize
576KB
-
Filesize
8KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB