urelas | 67fb64998492982423b0d8690ff06ec9c55e8c519ce007fc09d353bcc1472892

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
Size

333KB
MD5

b785705f4c8d06c986ccf1cbcbc28a45
SHA1

9a9549c26b16c833ebd6b7791ada954dd1935a01
SHA256

67fb64998492982423b0d8690ff06ec9c55e8c519ce007fc09d353bcc1472892
SHA512

4b99c89351928ff99575bebb1de908582d08c9d44d3bd748e6eac8090aafdacabe01002725dd1639f7c392d3f1c0cfe591f7a1fe503df05e6ff55d10ebbc022a
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisT:Nd7rpL43btmQ58Z27zw39gY2FeZhmzO

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000e000000024166-31.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	evqii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	fubyri.exe

Executes dropped EXE 3 IoCs

pid	Process
3156	evqii.exe
4824	fubyri.exe
6012	neutr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evqii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fubyri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neutr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe
6012	neutr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3156	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	88
PID 5016 wrote to memory of 3156	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	88
PID 5016 wrote to memory of 3156	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	88
PID 5016 wrote to memory of 3004	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	89
PID 5016 wrote to memory of 3004	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	89
PID 5016 wrote to memory of 3004	5016	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	89
PID 3156 wrote to memory of 4824	3156	evqii.exe	91
PID 3156 wrote to memory of 4824	3156	evqii.exe	91
PID 3156 wrote to memory of 4824	3156	evqii.exe	91
PID 4824 wrote to memory of 6012	4824	fubyri.exe	113
PID 4824 wrote to memory of 6012	4824	fubyri.exe	113
PID 4824 wrote to memory of 6012	4824	fubyri.exe	113
PID 4824 wrote to memory of 5396	4824	fubyri.exe	114
PID 4824 wrote to memory of 5396	4824	fubyri.exe	114
PID 4824 wrote to memory of 5396	4824	fubyri.exe	114

C:\Users\Admin\AppData\Local\Temp\2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\evqii.exe
  "C:\Users\Admin\AppData\Local\Temp\evqii.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\fubyri.exe
    "C:\Users\Admin\AppData\Local\Temp\fubyri.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\neutr.exe
      "C:\Users\Admin\AppData\Local\Temp\neutr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
3ded7c910328a020bfd9ddb63b0ff682

SHA1
06215d3752e7f41122e8c2abd7d53b1ea214e49c

SHA256
e4dfea3c08a7625ec06e2922973d8277b935cdc5970fb045f4badc9b514f34a6

SHA512
15616455ac433103765432f1969436e667bf213012ef83673c301c9cf6c8f27e623f4e40c641e165783d7b7c2557480c6f7533ad2f7418fa63ce77aafc3068d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
70341043d261a02d03604ee4ab5b75b3

SHA1
6801d982eb8524abe92dba504fa937826cbc5b3d

SHA256
07d85c7d7a663ae0861f2a7961ef9be69ddd6fb8269a6eb42dccea8348735509

SHA512
f2f6a17ad640f4e425fecd3f7fd79cdb9423ad93881689d4cc51803d053d7d973ae84223b1a4849fde114e5728b1bfe5411160d014e76261419871b5699bfdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\evqii.exe

Filesize
333KB

MD5
b69171cdab5c95b171339e180eacf932

SHA1
27769469cb2fc9f8a679cf72e64d48383cf1a27e

SHA256
615eeee9ad13ec33d2a231f94e4c5a1eeab73e9c906a53c6608061cd60617e25

SHA512
ba6f9b109d5e7dbd079ab8dfba28922a4c2a2417660f8123aad0e693c1d1a5d233195116b1db7a0aaa3140e69ad5ffe4fc47329b5469aba2129f2c42071dcda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7d9f95b17f16208fb442b1ce99b35167

SHA1
6e91f0607e787c53211f0da7bcbac9907f679091

SHA256
9f86bfc34b6be4ac19722e749ae4641df79085d73a1b2474a3cd7deac1721471

SHA512
75aee09d21060246d7897b706e5eb3158e8b5f16a5fd7b4e57a2b3b6835c9a8e445d817f943e040d47a302b79547ff7665f55a6063c0f4944aff5425d62ad3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\neutr.exe

Filesize
136KB

MD5
7e61ef7921314ea97f36c4c1be9c7f30

SHA1
4114d962ed6ef8be3c575e0352a83bf1b6f22623

SHA256
1225588eeda293aa4a288b41c203ac36af2ba0043a31303620e5ec7c104db229

SHA512
ab72e5831d1610577f0d9c6683e24ec458077f4781a94063ae8abb5a385966216531cc987262507d2fea617c91c30b2eadd1ad147047ae2ca21da6c50662c245

Download Submit
memory/3156-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4824-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4824-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5016-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5016-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/6012-39-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-37-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-38-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-36-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-44-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-45-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-46-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-47-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-48-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download
memory/6012-49-0x0000000000760000-0x00000000007EC000-memory.dmp

Filesize
560KB

Download