Overview

overview

10

Static

static

10

2025-04-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe

  • Size

    440KB

  • MD5

    ab53a90830d25f4915fbebf749956b38

  • SHA1

    b1a5923946445a191606695af0891f5006732678

  • SHA256

    4dbe1d196715a865ee5a48719db10c33848f316f6ddbe4b4b92d21ed0caac0ae

  • SHA512

    51c095a21ed82894e1eea8077cdaddcaa09b48c7ddb84c7194795d22ded1019abc8b8276376edffdd179d98a5c79e7b30895f28fe6e82a6a429bb045b997c800

  • SSDEEP

    6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpj7:oMpASIcWYx2U6hAJQnm

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-04_ab53a90830d25f4915fbebf749956b38_amadey_rhadamanthys_smoke-loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\qynot.exe
      "C:\Users\Admin\AppData\Local\Temp\qynot.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Users\Admin\AppData\Local\Temp\mefixe.exe
        "C:\Users\Admin\AppData\Local\Temp\mefixe.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Local\Temp\nixix.exe
          "C:\Users\Admin\AppData\Local\Temp\nixix.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    364B

    MD5

    4d75f2b45fa17da32a3c4985879fd45a

    SHA1

    173270395c2a22605f545498b428f17daa3c686c

    SHA256

    e8e52e8557655d147a880b72d4400fe8d63c8bcc646f76c1085f35e3de272839

    SHA512

    f8fbf8259330b46c4525fa694d88d47ed084af8e3c37620f1b777c7e95e6d45af0deef258eabc6bc6d4bba34603bab43cef2ec0d658e49272d5c44b8bc739bbd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    46f665279f6b93997ac95a86b9f43c61

    SHA1

    c111d19b7edd6ca9d63cebf3a39e417ef1a5a381

    SHA256

    2108a3c49ee7218d3d3c19eb8bd218178ae567aa95d7e0588fd0fd30996d07fa

    SHA512

    574e34a394d1b02f561eb03a887c7a2ee86887779ddea494f763ecfd071b4edd3e007693224f18ae8282b9a5ceff1b38717c0d5bfce303b617ed8d5b3def86b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    fd5e8e14e536d1003d849f65e46afb07

    SHA1

    b9f034ade85226a1e190e5717a47ea1c1b20b6da

    SHA256

    1df0c261a21b9e80439e4b0af738eb8b32e6219b396777ee243e162f3d28d016

    SHA512

    408dfa61a15c9757668764454cd918cb847b203c7e63a13913d9417358cfe35db4a835209cd922f374c73f54ff99229831f0d6d3774489d4d612e4030030bb09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mefixe.exe
    Filesize

    441KB

    MD5

    4b4bb95ffab4e97f487f454179a3663e

    SHA1

    076833d682068dbcf79793378ff92060fd390fce

    SHA256

    7755f3f3ab7d232b963b1fee1b41fb92b82e9fa4afe4a178d7f323a38ac58f84

    SHA512

    4a8a5203d63f7cce7a37686374a3182b53eb1732d2555461a90e282ac71a8eae0a036a3d93af571abe1a1f43fe2994433384524e0dd975094e99e487d5657376

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nixix.exe
    Filesize

    223KB

    MD5

    f282549865c3ddc435eb595d1e1d40ea

    SHA1

    b0bfa26786afd1e190238bf7209c48d77224b075

    SHA256

    d1725bbe6550ebe02f50c908d7d6588bb740e5f77f7d9bbef45b16e94b70983e

    SHA512

    0f58199aa0adcb425eed5242048a67d13590f5db337baa966bac630f56e11f1e5fb53db8f91696be2d9f9689a1912172d9896283eb4787d929a918c1b5b4b79d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qynot.exe
    Filesize

    441KB

    MD5

    06e612cda10d7898061efc99c7dd4e18

    SHA1

    507f7d55d9fe75827d6faf11da171824e9d6c73e

    SHA256

    bf0ef01e7ab50e8601d4e4fe554e248a707a67e88fde81c5acf310689ceaa904

    SHA512

    e3d98d095b624fcb92b103ec34aa6e15c72662687598374c37064402410de5867080771b442541f3c9e229343ddc2e7c1a87bba7a5813f7f7fe9420d5768388c

    Download Submit

  • memory/2880-25-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2880-38-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2936-36-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2936-41-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2936-42-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2936-43-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2936-44-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2936-45-0x00000000006A0000-0x0000000000740000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3720-24-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4368-15-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4368-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download