urelas | 67fb64998492982423b0d8690ff06ec9c55e8c519ce007fc09d353bcc1472892

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
Size

333KB
MD5

b785705f4c8d06c986ccf1cbcbc28a45
SHA1

9a9549c26b16c833ebd6b7791ada954dd1935a01
SHA256

67fb64998492982423b0d8690ff06ec9c55e8c519ce007fc09d353bcc1472892
SHA512

4b99c89351928ff99575bebb1de908582d08c9d44d3bd748e6eac8090aafdacabe01002725dd1639f7c392d3f1c0cfe591f7a1fe503df05e6ff55d10ebbc022a
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisT:Nd7rpL43btmQ58Z27zw39gY2FeZhmzO

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000024218-32.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	izpaig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	ehohd.exe

Executes dropped EXE 3 IoCs

pid	Process
5492	ehohd.exe
1456	izpaig.exe
1896	rypur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izpaig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rypur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe
1896	rypur.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5964 wrote to memory of 5492	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	85
PID 5964 wrote to memory of 5492	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	85
PID 5964 wrote to memory of 5492	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	85
PID 5964 wrote to memory of 2216	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	86
PID 5964 wrote to memory of 2216	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	86
PID 5964 wrote to memory of 2216	5964	2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe	86
PID 5492 wrote to memory of 1456	5492	ehohd.exe	88
PID 5492 wrote to memory of 1456	5492	ehohd.exe	88
PID 5492 wrote to memory of 1456	5492	ehohd.exe	88
PID 1456 wrote to memory of 1896	1456	izpaig.exe	108
PID 1456 wrote to memory of 1896	1456	izpaig.exe	108
PID 1456 wrote to memory of 1896	1456	izpaig.exe	108
PID 1456 wrote to memory of 228	1456	izpaig.exe	109
PID 1456 wrote to memory of 228	1456	izpaig.exe	109
PID 1456 wrote to memory of 228	1456	izpaig.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_b785705f4c8d06c986ccf1cbcbc28a45_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5964
- C:\Users\Admin\AppData\Local\Temp\ehohd.exe
  "C:\Users\Admin\AppData\Local\Temp\ehohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\izpaig.exe
    "C:\Users\Admin\AppData\Local\Temp\izpaig.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\rypur.exe
      "C:\Users\Admin\AppData\Local\Temp\rypur.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
364B

MD5
3ded7c910328a020bfd9ddb63b0ff682

SHA1
06215d3752e7f41122e8c2abd7d53b1ea214e49c

SHA256
e4dfea3c08a7625ec06e2922973d8277b935cdc5970fb045f4badc9b514f34a6

SHA512
15616455ac433103765432f1969436e667bf213012ef83673c301c9cf6c8f27e623f4e40c641e165783d7b7c2557480c6f7533ad2f7418fa63ce77aafc3068d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
eb8522a206278b60c7724d9f2a54760d

SHA1
299027ff03393c0c0e1d768d5b7749bff3abdfbb

SHA256
f63fad76269d4c47994d43cc4649cb52a5cc791e267bc0c952a32480642e44b7

SHA512
48f1db634d80f55aa31017877f1eb9e40423a1c9d48709493f555ed3b98599f774b136652e901879fe2a2c925f559f92e61c8e2323a93af240cb10ffad84d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehohd.exe

Filesize
333KB

MD5
5545a5fb414156c656607466a5f5e5f4

SHA1
632c46078952cbf27160b47cdd90f8ab408720da

SHA256
54436bb04fbdaf15657567f6432305b2f0393147533828c78e37b52525cc4472

SHA512
bd9a603d6c5e121037869b5d0aec4800ebdb1cec1d56116ecad219c84d4dfcdd8d62fc3a1f142d21283c4e0cbcbe815a94c5b7f54805a0bb5ac97d6b4f5474bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fa88f24b519e350ba6bb3ba0cae892e0

SHA1
8001a7401fd5154119678092c9dc91fec688cdbc

SHA256
c3acadd517aa403dcf5fd7c88b3800d92ea693b63767eec3f6dab4251a5ad6e9

SHA512
000ad39f3542ec5629eb27633540e7146d0fb6287c365fea1ec49b6905fc8645f77be11c5c82dacbc43ff4aa0adb338d319bcb44c58b06706252afe2461b5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rypur.exe

Filesize
136KB

MD5
8708baa47f19c5b73f200b83dc560ef8

SHA1
b901c529b8280b032589f0bf6987d8ed6c37cdd2

SHA256
a9b1567c1b4c5eed1bdd01ea27a8e3cdb3f86cd5e3164fb6f50d8c6f479ecf90

SHA512
49d1e03631ab6788a1cb04f7b6d9b8be0c592471d790cf7d3cd2038c020a2894ecbe5ba4742db0fb824da1af1521c7f20718b8648cfad1a0fd148792dd44e19d

Download Submit
memory/1456-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1456-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1896-41-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-47-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-40-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-50-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-39-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-38-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-49-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-48-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-45-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/1896-46-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/5492-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5492-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5964-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5964-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download