Overview

overview

10

Static

static

10

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_56ce1302f40520f19ed3a83ff2c94db0_amadey_rhadamanthys_smoke-loader.exe

  • Size

    333KB

  • MD5

    56ce1302f40520f19ed3a83ff2c94db0

  • SHA1

    4f982dfeff51f02b7a39e76af4491bfef6f1e303

  • SHA256

    ed38d345e27a67bd75b98b4397a24c557c97e7036a22c0845f7aba8cf4073ca9

  • SHA512

    5cfdaf35537bcd4d4d30c976cbae6d3c0f7b9dd64c96156762f560e4f399f218f08f77f4e6d70696e5659807de39d9f0ccfa3fcb0d2936b7589e6a979f116c16

  • SSDEEP

    3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisi:Nd7rpL43btmQ58Z27zw39gY2FeZhmzv

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_56ce1302f40520f19ed3a83ff2c94db0_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_56ce1302f40520f19ed3a83ff2c94db0_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\gonif.exe
      "C:\Users\Admin\AppData\Local\Temp\gonif.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Users\Admin\AppData\Local\Temp\fiwuze.exe
        "C:\Users\Admin\AppData\Local\Temp\fiwuze.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Users\Admin\AppData\Local\Temp\yvtut.exe
          "C:\Users\Admin\AppData\Local\Temp\yvtut.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4276
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    2e64ade77eeb7c5fd00dac3257469c93

    SHA1

    0a12443b9d526012cb103d232d47850d075cfbbd

    SHA256

    5b5472337e04f6d5ac96ea3a8b742260c97039ddb8fc040ad045244e30122040

    SHA512

    d5d3038d5c887a4b433a7637dc36f932e74383fa2373be6506d65e3424621523a0bd5c2c68549c33c9bf72ae632cc30385cd422e9e7da9d526420740962d0b96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    fdf77cba6f3eca67583a6a2ff0c9ce61

    SHA1

    9052e8d54059981aef5c84e0703ad2bc80904869

    SHA256

    4b110ddec48eb42f847d4701a5d210db262594ac5fd9bb7f105b5770da7daca7

    SHA512

    f42f05f8d541a2a41d3ddb3fdf347bfab227bfb2cd93fee316fb0ff6cc1d800df5859fd12333f0d6090631dde3a23033ea3b8f371db90ffd769f08380fa5e8f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    56a484a6f1457a753ce2dc501e266264

    SHA1

    f1469c1b3cc13edf41e68aae8cc8cbc79ef5d2e1

    SHA256

    76cd1dc7992dee8e3b4aafeb4d0feb9111d40c7dee4626eb6fdb6fafc5833a6a

    SHA512

    6aace78b1308311bba8a347e6c87559d4076f015e01ad11131bc9ffe9ac97dc68b139c3d6c6de2dbf44682f22f407c3123ca23047a8f4071c99e1c3f5685abcc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gonif.exe
    Filesize

    333KB

    MD5

    fc3332558a43c1b1509111f9fc0a3d38

    SHA1

    c515f443104e535239bf5423018699ddf43e251d

    SHA256

    a84c9f94aaa9ef54dfdf87158f44230ec9b4598a11ac64f3b3fb957f51b2b0a7

    SHA512

    149af25cf1896c91742034f505a1748c22098f193e6d7054d78385a0212df34e3819b58a81a2afb6b0974418fb16e38bcf09a69d83eacdc3b040c98a020298ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yvtut.exe
    Filesize

    136KB

    MD5

    729148d076680a9f867a096ce5b5d7cc

    SHA1

    d096b0eacfd3c2a45130dc670685b826ea7e6325

    SHA256

    8e9062c213e1b5a15974ad7f994f9184976a65c3240cf10b835f45ea7c10cf15

    SHA512

    f40da2da1a4fe865261ab87b2a2c9e4ae4bc066db5bad42704d8140ecf4999cd51b76912b01df16d3fefce5910bb09812bf121f6a5c8a6146e6e6c253a00d80d

    Download Submit

  • memory/1436-42-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1436-25-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2232-14-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2232-0-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3736-24-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4276-39-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-41-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-38-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-37-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-44-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-45-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-46-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-47-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-48-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4276-49-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download