SYMBOLCOMMON_NAMEaka. SYNONYMS
win.upatre (Back to overview)

Upatre

URLhaus    

Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.

References
2020-06-24Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20200624:is:3ee7fad, author = {Marco Ramilli}, title = {{Is upatre downloader coming back ?}}, date = {2020-06-24}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/}, language = {English}, urldate = {2020-06-24} } Is upatre downloader coming back ?
Upatre
2018-07-13Palo Alto Networks Unit 42Mike Harbison, Brittany Ash
@online{harbison:20180713:upatre:8d5e804, author = {Mike Harbison and Brittany Ash}, title = {{Upatre Continued to Evolve with new Anti-Analysis Techniques}}, date = {2018-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/}, language = {English}, urldate = {2019-12-20} } Upatre Continued to Evolve with new Anti-Analysis Techniques
Upatre
2017-07-10Secrary BlogSecrary
@online{secrary:20170710:upatre:06db6f5, author = {Secrary}, title = {{Upatre - Trojan Downloader}}, date = {2017-07-10}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/Upatre/}, language = {English}, urldate = {2019-11-29} } Upatre - Trojan Downloader
Upatre
2015-10-06Palo Alto Networks Unit 42Richard Wartell
@online{wartell:20151006:ticked:83f8d91, author = {Richard Wartell}, title = {{Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat Sandboxes}}, date = {2015-10-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/}, language = {English}, urldate = {2023-04-18} } Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat Sandboxes
Upatre
2015-06-10Johannes Bader
@online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } Win32/Upatre.BI - Part One
Upatre
Yara Rules
[TLP:WHITE] win_upatre_auto (20230715 | Detects win.upatre.)
rule win_upatre_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.upatre."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75f0 ff55f8 50 ebe7 }
            // n = 4, score = 200
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   ff55f8               | call                dword ptr [ebp - 8]
            //   50                   | push                eax
            //   ebe7                 | jmp                 0xffffffe9

        $sequence_1 = { 58 6a00 8d4de0 51 50 57 }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   6a00                 | push                0
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_2 = { 0430 66ab 81c60e010000 ac 3c01 740c }
            // n = 6, score = 200
            //   0430                 | add                 al, 0x30
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   81c60e010000         | add                 esi, 0x10e
            //   ac                   | lodsb               al, byte ptr [esi]
            //   3c01                 | cmp                 al, 1
            //   740c                 | je                  0xe

        $sequence_3 = { 03f0 33c0 ac 897588 }
            // n = 4, score = 200
            //   03f0                 | add                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   ac                   | lodsb               al, byte ptr [esi]
            //   897588               | mov                 dword ptr [ebp - 0x78], esi

        $sequence_4 = { 33c0 b404 57 03f8 8bf7 33c0 b025 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   b404                 | mov                 ah, 4
            //   57                   | push                edi
            //   03f8                 | add                 edi, eax
            //   8bf7                 | mov                 esi, edi
            //   33c0                 | xor                 eax, eax
            //   b025                 | mov                 al, 0x25

        $sequence_5 = { 33c0 8945e0 8d75e0 8b7dbc 897d9c }
            // n = 5, score = 200
            //   33c0                 | xor                 eax, eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d75e0               | lea                 esi, [ebp - 0x20]
            //   8b7dbc               | mov                 edi, dword ptr [ebp - 0x44]
            //   897d9c               | mov                 dword ptr [ebp - 0x64], edi

        $sequence_6 = { 66ab b053 66ab b050 66ab }
            // n = 5, score = 200
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   b053                 | mov                 al, 0x53
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   b050                 | mov                 al, 0x50
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_7 = { b02f 66ab ad ad }
            // n = 4, score = 200
            //   b02f                 | mov                 al, 0x2f
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   ad                   | lodsd               eax, dword ptr [esi]

        $sequence_8 = { 50 e8???????? 83c40c eb11 8b4dfc 51 8b550c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb11                 | jmp                 0x13
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_9 = { 50 0dc21748db 60 23e7 1b800fa46451 ae c5d15439 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   0dc21748db           | or                  eax, 0xdb4817c2
            //   60                   | pushal              
            //   23e7                 | and                 esp, edi
            //   1b800fa46451         | sbb                 eax, dword ptr [eax + 0x5164a40f]
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   c5d15439             | vandpd              xmm7, xmm5, xmmword ptr [ecx]

        $sequence_10 = { 7471 6a01 8d55c3 52 }
            // n = 4, score = 100
            //   7471                 | je                  0x73
            //   6a01                 | push                1
            //   8d55c3               | lea                 edx, [ebp - 0x3d]
            //   52                   | push                edx

        $sequence_11 = { 8d1450 0fb745e4 03d0 33c0 3bca }
            // n = 5, score = 100
            //   8d1450               | lea                 edx, [eax + edx*2]
            //   0fb745e4             | movzx               eax, word ptr [ebp - 0x1c]
            //   03d0                 | add                 edx, eax
            //   33c0                 | xor                 eax, eax
            //   3bca                 | cmp                 ecx, edx

        $sequence_12 = { 8b45f8 50 8b4dfc 51 e8???????? 83c408 8945d8 }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_13 = { 8b4dd8 51 e8???????? 8b55f8 52 8b45e4 }
            // n = 6, score = 100
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_14 = { 83f804 7516 8b4df8 51 8b55fc }
            // n = 5, score = 100
            //   83f804               | cmp                 eax, 4
            //   7516                 | jne                 0x18
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_15 = { 8955f8 8b45f8 8b08 51 e8???????? 83c404 0fb7d0 }
            // n = 7, score = 100
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   0fb7d0               | movzx               edx, ax

    condition:
        7 of them and filesize < 294912
}
[TLP:WHITE] win_upatre_w0   (20170517 | Detects Upatre malware - file hazgurut.exe)
rule win_upatre_w0 {
	meta:
		author = "Florian Roth"
		description = "Detects Upatre malware - file hazgurut.exe"
		reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7"
		date = "2015-10-13"
		score = 70
		hash = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50"
		hash = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92"
		hash = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3"
		hash = "c64282aca980d558821bec8b3dfeae562d9620139dc43d02ee4d1745cd989f2a"
		hash = "a35f9870f9d4b993eb094460b05ee1f657199412807abe6264121dd7cc12aa70"
		hash = "f8cb2730ebc8fac1c58da1346ad1208585fe730c4f03d976eb1e13a1f5d81ef9"
		hash = "b65ad7e2d299d6955d95b7ae9b62233c34bc5f6aa9f87dc482914f8ad2cba5d2"
		hash = "6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3"
		hash = "33a288cef0ae7192b34bd2ef3f523dfb7c6cbc2735ba07edf988400df1713041"
		hash = "2a8e50afbc376cb2a9700d2d83c1be0c21ef942309676ecac897ba4646aba273"
		hash = "3d0f2c7e07b7d64b1bad049b804ff1aae8c1fc945a42ad555eca3e1698c7f7d3"
		hash = "951360b32a78173a1f81da0ded8b4400e230125d05970d41621830efc5337274"
		hash = "bd90faebfd7663ef89b120fe69809532cada3eb94bb94094e8bc615f70670295"
		hash = "8c5823f67f9625e4be39a67958f0f614ece49c18596eacc5620524bc9b6bad3d"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/upatre_oct15.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$a1 = "barcod" fullword ascii

		$s0 = "msports.dll" fullword ascii
		$s1 = "nddeapi.dll" fullword ascii
		$s2 = "glmf32.dll" fullword ascii
		$s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" fullword ascii
		$s4 = "cmutil.dll" fullword ascii
		$s5 = "mprapi.dll" fullword ascii
		$s6 = "glmf32.dll" fullword ascii
	condition:
		$a1 in (0..4000) and all of ($s*)
}
Download all Yara Rules