Upatre – Trojan Downloader

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

You can get the sample from theZoo

SHA-256: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

We can use behavior analysis from hybrid-analysis.

imageSeems like there is no known protection mechanism.

In the strings, there is nothing important other than this base64 encoded string: image

…and imports is not eloquent but there is our friend GetProcAddressimage

Let’s open in IDA:

sub_403760 is used to get necessary Win API functions: image

Inside sub_403760, malware decrytes strings and uses GetProcAddress to get addresses of functions: image

To decrypt strings before call GetProcAddressUpatre uses following decryption routine: image

Inside sub_402F30 malware uses this teqnique to get addresses for following Win API functions:


The decryption routine is used heavily by malware in different places to get plain text. image

At 00403572Upatre decodes base64 encoded string and saves at 004051B0(I renamed variable as decrypted_bin): image

At 0040386D it creates a new thread: image

Main work starts inside the thread at 00403900, Where it decryptes and gets addresses for several Win API functions: CreateProcessWExitProcessNtWriteVirtualMemoryNtSetContextThread, etc. image

Creates itself as a new process in suspended mode and saves Contextimage

Decompresses decoded base64 string using RtlDecompressBuffer(format COMPRESSION_FORMAT_LZNT1): image…and writes into suspened process: image


There is one interesting anti-debug trick, at the start it saves PEB and adds BeingDebug value [PEB+2] at different places, outside of a debugger this value is 0 and adding 0don’t causes any error, but if we try to add 1 (which is the value of [PEB+2] if the executable is inside a debugger) it may cause error. In this case RtlDecompressBuffer returns 0xC0000242(STATUS_BAD_COMPRESSION_BUFFER) error.

[eax+2] is the value of BeingDebugimage


imageWe can use ScyllaHide plugin for IDA to defeat this anti-debug method.

Back to our analysis, after decompress it calls NtSetContextThread, value of EIP is 401265imageResumes thread and exits: image

Before NtResumeProcess call attach x32dbg to child process and set EIP to 401265image

Close IDA and start analyzing of the child process.

Tries to read uttE047.tmp file from %TEMP% directory without success: image

Creates one and writes location of the executable: image

Inside of uttE047.tmp file:


Copies executale to %TEMP% directory as utilview.exeimage

…and creates as new process: image

This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.

Let’s reverse last part (injected code) a little bit higher level.

Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe

The injected code is also same as before it checks uttE047.tmpfile, but this time there is uttE047.tmp in %TEMP% directory and malware goes a different direction, reads the content of uttE047.tmp, which is the location of the executable and removes that executable: image

After this it gets IP of the victim using checkip.dyndns.comimage

Also, there is a typo in user-agent string: image

and parses IP from returned file: image

It tries to download questd.pdf from http://penangstreetfood.net/wp-content/uploads/questd.pdf and http://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success. image

Sends GET requests to with client related information, last string derives from victim’s IP address, Bis instead of . image

That’s all… Upatre’s main function is to download malicious files.

I know, I overlook many things related to Upatre, due to my limited knowledge, if you find something interesting please contact me.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this