urelas | ead830b446211821044cc504f4346fe54031304ce67ca6e2f0bddeef3c3f7df1

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe
Size

461KB
MD5

adac27f0b6ef5be08ae0a1fd00cfd5d4
SHA1

34684a7fb6a9a315f68ac31381466941f1c1e9b3
SHA256

ead830b446211821044cc504f4346fe54031304ce67ca6e2f0bddeef3c3f7df1
SHA512

1e15d8c265bb92e77f8468394b06cddb8634ee26e9588e29e157b1217f0b821365107803e77106f6a90d36eec45b8b396d8a7321985c9903495aac1482cf4499
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFRdmc:LMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	qeyvn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	moilri.exe

Executes dropped EXE 3 IoCs

pid	Process
5924	qeyvn.exe
5220	moilri.exe
4060	nekom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeyvn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moilri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nekom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe
4060	nekom.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5400 wrote to memory of 5924	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5400 wrote to memory of 5924	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5400 wrote to memory of 5924	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5400 wrote to memory of 2936	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	87
PID 5400 wrote to memory of 2936	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	87
PID 5400 wrote to memory of 2936	5400	2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe	87
PID 5924 wrote to memory of 5220	5924	qeyvn.exe	89
PID 5924 wrote to memory of 5220	5924	qeyvn.exe	89
PID 5924 wrote to memory of 5220	5924	qeyvn.exe	89
PID 5220 wrote to memory of 4060	5220	moilri.exe	109
PID 5220 wrote to memory of 4060	5220	moilri.exe	109
PID 5220 wrote to memory of 4060	5220	moilri.exe	109
PID 5220 wrote to memory of 3792	5220	moilri.exe	110
PID 5220 wrote to memory of 3792	5220	moilri.exe	110
PID 5220 wrote to memory of 3792	5220	moilri.exe	110

C:\Users\Admin\AppData\Local\Temp\2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_adac27f0b6ef5be08ae0a1fd00cfd5d4_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5400
- C:\Users\Admin\AppData\Local\Temp\qeyvn.exe
  "C:\Users\Admin\AppData\Local\Temp\qeyvn.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\moilri.exe
    "C:\Users\Admin\AppData\Local\Temp\moilri.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\nekom.exe
      "C:\Users\Admin\AppData\Local\Temp\nekom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
aea8be90518146d8af7eb5eddbf7d7b6

SHA1
fea4b636ae8c1819dd0cac40dbf1bda65c460557

SHA256
4868b633320ffb320c2539a1bb5d6d8f1d1a8c1e31708c1a281c63cb16ba175e

SHA512
a11041f97de82ac53b9b4d32c5a308d624b18975e50f80335415ef71ddc53489fd797105b255adff79a843bdcd213be3fdd83e1b1c486eac3c02ad4e71a029c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
186bc4a820ba2390e4a438f6ea2e2ee1

SHA1
51ad0bb9854eee486c710ef0c0dc103a7c960140

SHA256
09d32eaf244b461f5299ea22c9a2bc3ac24afc8f6bd89354c782eeaed266034a

SHA512
47e1193fdd977014be2fee18adfc5c41981a601dd9afc58e585aa5b2ee56ff4e9b2b0ffd4fd709d2e3abeaa39d4aa01e875164108b9fa1c8cd05bdb75d621c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ce9b918c090105439196c3b992a5ee88

SHA1
a8b2152d2b69033a320a0b0dc53a8600035f7b6a

SHA256
822fd24155a599eba06baec8c6d6b6ccf7807efd47e71e5843a3742b303cc8da

SHA512
f6f8291617b4fecd11d17a5ac3d9b0c63dbdcfd26e8af6b6485417a76d5c70f8f41209403ea90bd9aa5c9426981b7fb4dc155bc2a43b977ee09ee4056f4520b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\moilri.exe

Filesize
461KB

MD5
f8273cb996c8ebb6581ab2bd9f4437f7

SHA1
fc28d873c403d5813a1778090396d65efc32d5a4

SHA256
ee15ff622cec76e4174f7f7285b61d1b9f531db4705be8f1ebd88fa420be595a

SHA512
202c1ee9cc99ebe9ca4a8c0fbbf448ea29978329a0263feb05671c44330bc8c5840c69181e139dc674a60272821716dbb75afe8588dcffcc3d12c7c01056ba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nekom.exe

Filesize
223KB

MD5
2e66d9114fc7e51c4a186169530cc0e9

SHA1
9129cddfa0060e71928f241dbdc891be5e860272

SHA256
3d808f83e46708a90e971726d5e3f18592eb690d3ab814dc5f4bf44ce526fe32

SHA512
b2b8a60235ecaa3507027225658174a91f4a25f25e539446af5cf3bbdc64e41295067c9ac1dfc318121e3241d6f0b4bfa4cfcb12ef2ee852c17e02d65573b9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeyvn.exe

Filesize
461KB

MD5
55e58dc91bd6e9012e65ee4780e2cf35

SHA1
6c64ab8e3b4e3eaccb963905bdf6965496f62dad

SHA256
3f4100083896bfe9dab014a2cb3bbc9ca188dd2448a53a2e1d7c83426a3ec3f9

SHA512
60df7b9694ed43131b6496a1343f3f9e2fe3a15c7a0ea61f1b680c7320ea113ca7379ab9c2f94e0b79d3c55f83f94a0e46c7f87d8d61db02a2d3162168b92781

Download Submit
memory/4060-35-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/4060-41-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/4060-42-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/4060-43-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/4060-44-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/4060-45-0x00000000008B0000-0x0000000000950000-memory.dmp

Filesize
640KB

Download
memory/5220-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5220-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5400-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5400-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5924-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download