urelas | 44fe6735b6ef6689fc80576d802becc7683a699b1747619f3ff8e65fa7fadab7

General

Target

2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe
Size

461KB
MD5

a3bde46c08a015dd2233cd6382529a94
SHA1

f4bda18380c9a303ea136f5ac428bf0a7a5cac19
SHA256

44fe6735b6ef6689fc80576d802becc7683a699b1747619f3ff8e65fa7fadab7
SHA512

9e1f297623d53710c5e159f38a80353206bf6eb132592551cf09d5d9c3d48c3f58591af0f3aea79f014bb2c95eace91bb40866c6bd10c6770662f21e05e0898f
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdmu:LMpASIcWYx2U6hAJQnI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	reizb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	wynogo.exe

Executes dropped EXE 3 IoCs

pid	Process
3640	reizb.exe
2680	wynogo.exe
5820	fezav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reizb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wynogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fezav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3640	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	88
PID 3556 wrote to memory of 3640	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	88
PID 3556 wrote to memory of 3640	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	88
PID 3556 wrote to memory of 4000	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	89
PID 3556 wrote to memory of 4000	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	89
PID 3556 wrote to memory of 4000	3556	2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe	89
PID 3640 wrote to memory of 2680	3640	reizb.exe	91
PID 3640 wrote to memory of 2680	3640	reizb.exe	91
PID 3640 wrote to memory of 2680	3640	reizb.exe	91
PID 2680 wrote to memory of 5820	2680	wynogo.exe	113
PID 2680 wrote to memory of 5820	2680	wynogo.exe	113
PID 2680 wrote to memory of 5820	2680	wynogo.exe	113
PID 2680 wrote to memory of 6036	2680	wynogo.exe	114
PID 2680 wrote to memory of 6036	2680	wynogo.exe	114
PID 2680 wrote to memory of 6036	2680	wynogo.exe	114

C:\Users\Admin\AppData\Local\Temp\2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_a3bde46c08a015dd2233cd6382529a94_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\reizb.exe
  "C:\Users\Admin\AppData\Local\Temp\reizb.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\wynogo.exe
    "C:\Users\Admin\AppData\Local\Temp\wynogo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\fezav.exe
      "C:\Users\Admin\AppData\Local\Temp\fezav.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:6036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
17556394df83acc004f53896aecd259f

SHA1
d9660ee14a3f5475979fe695d26a34a142eba161

SHA256
b285ebd73c9482a49c6f5bea8fb0259732513c10e8505aefb47e7380a5de8a24

SHA512
c1a943e7cd48300d73ae2af9518d60590b076669da9199da628a4fa0765077ba8b5b38020a041d7dd90341bdc542d8dab81795547a2d6ed65d819db177aeb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
67b18cb510304dba80772ed16e6fca6c

SHA1
20026cbdbdb539c16c1b3228071cc5b74fe8b5d0

SHA256
47b8d3348ec244f193ca5034ab2762968e5df02c16deb149e242254874d77677

SHA512
278c39240d9cdae4c93175aab0dab38050721f7d23026bbbb73fa73d356f3fdd536bbb2f968448b213f70257f38e164484b3405fb6790de9800de6eeccd98175

Download Submit
C:\Users\Admin\AppData\Local\Temp\fezav.exe

Filesize
223KB

MD5
67fa51f2b7e0d4c4d298b7402df1898f

SHA1
a3a524e8b11c5795c10c0559e5f2f0e3db5bf061

SHA256
5b4c7e55ca84a0b930080f9b9b3f136bbf0b96802fc16d9d288ec73e3450731b

SHA512
cb7be2ffac2729c0f1bff56db7d5249da6d0b60da1d7b11e583d9b3e8bce94a3b29b6f132a6b045cb42e068ff2212a289ad9db6a1a51b63d90f93005fc99f754

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
15902ac9617c41b7a588d18ee87620ff

SHA1
c2ee16ffb12ca4437bc61cac9d0fceb69acd51b9

SHA256
e7515135ed3d176af0d695351a8ced2a0b3d7765f0bb90f2ca61580a27481447

SHA512
d60ed88e1bf18fc0d9b910a3f0a2e9ec2965d759df6786684f3dd677c29a70f81e7f1483c6e95a64db50a9c3603fb4ef2552cdf511617988ae789a894c794cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\reizb.exe

Filesize
461KB

MD5
cabd79e8fa87732cc53ab0c9cdebdb73

SHA1
328741eb49f662b96a68ea1615b204a533ccfd4e

SHA256
332fdea6a9d0f3043519b0198e2cf5e5d904526ff808ef8e67ab4d638a03665e

SHA512
840b795e9b380b0ba6a6f6f0d6aa3926ce2989f8f1bcdd7b8025f9383eb8ee0c70b611e81064a0505784fbb4456b76fa67487335aa4bb7859ec434616aec9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wynogo.exe

Filesize
461KB

MD5
7b8d40288cd0d76a0d1ae6b6aaaad642

SHA1
a8feacd89558c26b9f7976df2db4b629a8597c93

SHA256
f88b45641b789d107129ab993e10087a4239fc7a4f7b71a1567ffd638c2fcb44

SHA512
135f33d8c36326c961368a6ead029ef341f873b75139685b1e181d53c3909005e285f5457b2b6a4d47bad46d8e0ec9a879b3b45e85722874fdc3f40894ddc360

Download Submit
memory/2680-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2680-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3556-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3556-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3640-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5820-35-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download
memory/5820-39-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download
memory/5820-40-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download
memory/5820-41-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download
memory/5820-42-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download
memory/5820-43-0x00000000004A0000-0x0000000000540000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing