urelas | 9824f85d826f500ac9d1cf48bfa4a45b8dd59e1ec4d3870f93c6b67bfab2a66d

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe
Size

440KB
MD5

5c63e5e2ca3acb9afb6244581689aba5
SHA1

f2f1a3f4bcd379d1e58bc18492ace5fe445f87e8
SHA256

9824f85d826f500ac9d1cf48bfa4a45b8dd59e1ec4d3870f93c6b67bfab2a66d
SHA512

a08580e015012440ec2e094e8a861d315aeb8d89f88402282ec41aa6b227fd1c94c9edd90b92a41d781249e510da5675d377bfb5f672b0127315ab5c88a7d775
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjz:oMpASIcWYx2U6hAJQnI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lypun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	qeqixi.exe

Executes dropped EXE 3 IoCs

pid	Process
2764	lypun.exe
3056	qeqixi.exe
3684	fomis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeqixi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fomis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lypun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe
3684	fomis.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2764	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	86
PID 4624 wrote to memory of 2764	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	86
PID 4624 wrote to memory of 2764	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	86
PID 4624 wrote to memory of 4876	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	87
PID 4624 wrote to memory of 4876	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	87
PID 4624 wrote to memory of 4876	4624	2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe	87
PID 2764 wrote to memory of 3056	2764	lypun.exe	89
PID 2764 wrote to memory of 3056	2764	lypun.exe	89
PID 2764 wrote to memory of 3056	2764	lypun.exe	89
PID 3056 wrote to memory of 3684	3056	qeqixi.exe	110
PID 3056 wrote to memory of 3684	3056	qeqixi.exe	110
PID 3056 wrote to memory of 3684	3056	qeqixi.exe	110
PID 3056 wrote to memory of 3024	3056	qeqixi.exe	111
PID 3056 wrote to memory of 3024	3056	qeqixi.exe	111
PID 3056 wrote to memory of 3024	3056	qeqixi.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_5c63e5e2ca3acb9afb6244581689aba5_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\lypun.exe
  "C:\Users\Admin\AppData\Local\Temp\lypun.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\qeqixi.exe
    "C:\Users\Admin\AppData\Local\Temp\qeqixi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\fomis.exe
      "C:\Users\Admin\AppData\Local\Temp\fomis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
2466baf0787e69f86583945a7d33717b

SHA1
491d6fb07bbbd131a36ab6c8adc8b35458020933

SHA256
ad10b168ae7e18de0cc1c9816d81263d2b9973e3cbf6ad6bfe58c23385f95992

SHA512
228ebdbfec47d9907e3411e497ae25d8d2b4d257d5080918b50e8ca2d936fea2e5901cff34d9e03b47767d26831da7ea8c4df47613565ed76e17e96ae8d6dcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
44f2c0b2d3bc2e951d47da72b5fb0d78

SHA1
c55999148d067c4b8e9c97091b4b538c1027c5b4

SHA256
2485562fef5e966e7f494e79b55e27d45bb2cf9f0fd2162680affddda0c9ddc9

SHA512
235f054d34d3786f109105f10dc16d6c9af598333a6625ff262b9355d8e52ff26919a772b8c05ca0deede91fa7abc74c56f2378051cb5d7383bbdc7f09f18923

Download Submit
C:\Users\Admin\AppData\Local\Temp\fomis.exe

Filesize
223KB

MD5
fd3af2f2637d1587c814604925a181ba

SHA1
502938fa8578dad66ce5735bc6887f4d590b9e3a

SHA256
a3721fa7693de1a60ac6b4ac31441e1fc5b6b54f273e8484befe3b13b6767d26

SHA512
b01f70b61447ae31779678a407cc0c6f22ce41eb2edf96cc63d15ed9ad425c0832a10eda01f23340de9989a2838b08e656cdcf1ea27e6d33ac921d83ac9a3515

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7825693744c6348ad7de605b41242b61

SHA1
2e814c031aa6f69f02effc9aae95d83e2cd0407e

SHA256
67d24a490c1bbe215ff5a28e1135f19c32d0a9a7fef1893e6772ce2629232027

SHA512
63c2f3ce3179170e1fdee60be6a2b01800bc8a70c95fc9fc4086c450497a5f6ce6f4170f7fd1a0fc99ef3d0e637842ace19217fcfdff7c28c7afbfbf9abfb943

Download Submit
C:\Users\Admin\AppData\Local\Temp\lypun.exe

Filesize
440KB

MD5
20655c5d186875126ff190f60ccedffb

SHA1
1976137433b8db50419740e74dc890aec7ac9db3

SHA256
33b5e286a2a2c6b8b195f39fb5f5f107770063353115d13be31389f7ff88ce52

SHA512
27ffbab029bc3246295f277317f480d85eb8927a5ea5ed1de3555b9d0ffd37fa47bf0745897f34f66e631c3e8f74e09c88130b62a9ed811f5de959f3185adbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeqixi.exe

Filesize
440KB

MD5
3757a73ccbe044201655a132b8746841

SHA1
b04012b572cb18ed22603bd6ce3b0bd0f25d0698

SHA256
5dba5a531c4c45cc0135180265ddd099f18ee7ecf210fb66a2d8a4ff6c3f9a9b

SHA512
ca536466b239e2c515ad36d3e1956030fbf9572c959474fb078be7bdd7bc2ff5b1659a99bc5756970c2fc0756a987a406d20850ee69c72b0cc2353c307e835bd

Download Submit
memory/2764-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3056-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3056-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3684-35-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/3684-41-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/3684-42-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/3684-43-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/3684-44-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/3684-45-0x0000000000380000-0x0000000000420000-memory.dmp

Filesize
640KB

Download
memory/4624-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4624-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download