Overview

overview

10

Static

static

10

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe

  • Size

    440KB

  • MD5

    ab53a90830d25f4915fbebf749956b38

  • SHA1

    b1a5923946445a191606695af0891f5006732678

  • SHA256

    4dbe1d196715a865ee5a48719db10c33848f316f6ddbe4b4b92d21ed0caac0ae

  • SHA512

    51c095a21ed82894e1eea8077cdaddcaa09b48c7ddb84c7194795d22ded1019abc8b8276376edffdd179d98a5c79e7b30895f28fe6e82a6a429bb045b997c800

  • SSDEEP

    6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpj7:oMpASIcWYx2U6hAJQnm

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\hyxol.exe
      "C:\Users\Admin\AppData\Local\Temp\hyxol.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Users\Admin\AppData\Local\Temp\boleab.exe
        "C:\Users\Admin\AppData\Local\Temp\boleab.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Users\Admin\AppData\Local\Temp\dygiw.exe
          "C:\Users\Admin\AppData\Local\Temp\dygiw.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    4d75f2b45fa17da32a3c4985879fd45a

    SHA1

    173270395c2a22605f545498b428f17daa3c686c

    SHA256

    e8e52e8557655d147a880b72d4400fe8d63c8bcc646f76c1085f35e3de272839

    SHA512

    f8fbf8259330b46c4525fa694d88d47ed084af8e3c37620f1b777c7e95e6d45af0deef258eabc6bc6d4bba34603bab43cef2ec0d658e49272d5c44b8bc739bbd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    84ae7d6fb6e6b3aaefc4535220851320

    SHA1

    240e5e38668214e2049b32a3073b3bb4fb35a4f7

    SHA256

    014a57e5d6bd5b88c76ba1609383957fe63fdf6e49a2386730889ea747746665

    SHA512

    e3027a4d6f911d83bce794f3113e5d39ff14968f7def5da7835e9224b2ea77d15145ac18c14b8652c67678fec223609d16f16a293b98b1683e9810c531bb8f92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\boleab.exe
    Filesize

    441KB

    MD5

    69ff8939b62c6d1f9e71b3594a2672ee

    SHA1

    64c7db2fd69450091282237abf58f18b55dad0c8

    SHA256

    78464aa3c3e38b594b44fc16b0e93ef915cc62e76e5f6787c47fa2ba25649d88

    SHA512

    4dc21e815f1f3068e3fa620d58d181da5d321c8870a62abca843ce9db633968f66235f7aa308f4eb4d93e5e63f8a1c596aca7378a1338578596d35281191804a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dygiw.exe
    Filesize

    223KB

    MD5

    2c3eb74542e4cda86d9d16be4f577a7d

    SHA1

    9e8d362981338db406d5db1b47d48337183c8048

    SHA256

    e98d6ea2c78f7244be3a85d9c56df34a2946e32decabbb09c8dab68ad044b8ba

    SHA512

    3aa14174299a65258caa7ed6a77375195db7a7ea9f1ffb6d71ecb6b8102744b74cfc346628505aa308269628d46141f7e3d7fc660eeb112acf485930c6833386

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    38ebfea30c0b3f08a338ee145b9cc01c

    SHA1

    7617d0a4c4b57fa2691ef083c32431b09c6f09ed

    SHA256

    c67a8815ebc3cdb86caa0c202a17a0e7a97b957d736726e830706fb913989704

    SHA512

    a082e55d1752644a52bcdb66a184a2a2f5440a72835d3d71b1fc2b57b7e8c1faef15a9bd11e4c87245d6fce9d2e4519c7d84757a85e4760a931400daa25dc120

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hyxol.exe
    Filesize

    441KB

    MD5

    cc6efde2a6296702a5e9f39ff0c75c2b

    SHA1

    a4b28a0bfee1882548039e7b43d94096d621dbe7

    SHA256

    dab34ba533e24fdd56c3589fce6a20197c65b239a0d1b0d6f43be8f9fe471bfd

    SHA512

    6f30d8e00613f447dba042dc497d205acc602933475b2c918b9d11c1174c1f51a4e5a2fee8a73d4d200f3c7d852ab1413f04c6cb3636f1b44ca7743ccdbf619b

    Download Submit

  • memory/744-23-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1584-44-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1584-36-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1584-45-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1584-41-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1584-42-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1584-43-0x00000000005F0000-0x0000000000690000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1676-15-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1676-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2008-25-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2008-38-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download