urelas | f3d5a2aad153bff69ca21a86e4639308573baf46af111299b88ccbb106d1016b

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe
Size

790KB
MD5

936eac866eaff4fa23f42694c3f2c0c7
SHA1

37e919e9af13d588b34919000aba6570301ded6f
SHA256

f3d5a2aad153bff69ca21a86e4639308573baf46af111299b88ccbb106d1016b
SHA512

7e6341f904406853324c99913828c1c68f120312360b2ecfaa9d6e8bfa2690b623becb64a949421d772de31779a3f39b705e4c20b72eb57318274d6f8e2f188d
SSDEEP

12288:dccNvdRExZGe+Q1nzPAlDqfJZTvfTRTWkI42gqmoWkI094og2GXfJKnbkS3LdAPD:dnPfQpzyD8ZTn8kZ2gqAkI094vOkSCL/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	palod.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	palod.exe
3640	gelax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gelax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	palod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe
3640	gelax.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4552	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	93
PID 1076 wrote to memory of 4552	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	93
PID 1076 wrote to memory of 4552	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	93
PID 1076 wrote to memory of 2776	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	94
PID 1076 wrote to memory of 2776	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	94
PID 1076 wrote to memory of 2776	1076	2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe	94
PID 4552 wrote to memory of 3640	4552	palod.exe	111
PID 4552 wrote to memory of 3640	4552	palod.exe	111
PID 4552 wrote to memory of 3640	4552	palod.exe	111

C:\Users\Admin\AppData\Local\Temp\2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_936eac866eaff4fa23f42694c3f2c0c7_amadey_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\palod.exe
  "C:\Users\Admin\AppData\Local\Temp\palod.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\gelax.exe
    "C:\Users\Admin\AppData\Local\Temp\gelax.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
338B

MD5
90b2193fe5ea8ee1cbe51870aa192acd

SHA1
91b26f19ec272299c6fd27e253d5edcf950a59a1

SHA256
cc64175dec0a3844289b98f38288642ba1fdfb29ada7dd0207bf6550496464ec

SHA512
ca4cd9088b389e7457dda9f2b5756623bceef5cdd75bc6ff0c4586649f0a2e1ceb90bb5374482426e08f1096c2c772e9771255ae799fe5cf2ab97107c75e4c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gelax.exe

Filesize
176KB

MD5
135cd87a27fb1fab9711406ce62026a9

SHA1
12d0f1dc67c635ea7001e3820a926bcb61c3d5a3

SHA256
9a4324eda81f484591bc3d4e6d213615971f48ae39a41e128e7de9b65f39f960

SHA512
329c10f05b01320641c07a846441db616751c76b7bf35ddc359f69706889e4b1cf7a939cdd31b17c9991d55c80fcdb8f31c4ecfde4a9c41cee48509fb829c4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b549321bb37f2edcd5c1f5e24a172f48

SHA1
3309111abb319b4a0051edbc00a742ae53d391e5

SHA256
2f2d159c98309afdaf3128e6fcaa2791da6735f087e8c29b79ad2f31878abb3d

SHA512
aac0cf3ea7d83c1387ce44ffaa0cf1732dcd0ab2d6540dea9d2d873e98f90e4c3e727353434ba1dce049ec2cd8017ef864dceec70c92efcf4919c5501951aff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\palod.exe

Filesize
790KB

MD5
af4898e2c00bbc62d7ed8fb4503f42b0

SHA1
de4ff02671ff70d148237d3eeb6d5b6dcb09661c

SHA256
22939ddb02464b15c5b6a55f1b46869a6c51cebfa7d603863bcd2f3894f28a45

SHA512
e85f94faa2ea925358dbb3efc76d028344b407c1007159b70b84c2007ad630fa0ed46dc5c02ae1a18d63570affb6f0ce418303270210c79f908e2ecb731a57ff

Download Submit
memory/1076-0-0x0000000000960000-0x0000000000A2C000-memory.dmp

Filesize
816KB

Download
memory/1076-14-0x0000000000960000-0x0000000000A2C000-memory.dmp

Filesize
816KB

Download
memory/3640-26-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3640-28-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/3640-31-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/3640-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3640-32-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3640-33-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3640-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3640-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4552-17-0x0000000000160000-0x000000000022C000-memory.dmp

Filesize
816KB

Download
memory/4552-12-0x0000000000160000-0x000000000022C000-memory.dmp

Filesize
816KB

Download
memory/4552-27-0x0000000000160000-0x000000000022C000-memory.dmp

Filesize
816KB

Download