Upatre – Trojan Downloader

Share this…

You can get the sample from theZoo

SHA-256: 1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

We can use behavior analysis from hybrid-analysis.

imageSeems like there is no known protection mechanism.

In the strings, there is nothing important other than this base64 encoded string: image

…and imports is not eloquent but there is our friend GetProcAddressimage

Let’s open in IDA:

sub_403760 is used to get necessary Win API functions: image

Inside sub_403760, malware decrytes strings and uses GetProcAddress to get addresses of functions: image

To decrypt strings before call GetProcAddressUpatre uses following decryption routine: image

Inside sub_402F30 malware uses this teqnique to get addresses for following Win API functions:


The decryption routine is used heavily by malware in different places to get plain text. image

At 00403572Upatre decodes base64 encoded string and saves at 004051B0(I renamed variable as decrypted_bin): image

At 0040386D it creates a new thread: image

Main work starts inside the thread at 00403900, Where it decryptes and gets addresses for several Win API functions: CreateProcessWExitProcessNtWriteVirtualMemoryNtSetContextThread, etc. image

Creates itself as a new process in suspended mode and saves Contextimage

Decompresses decoded base64 string using RtlDecompressBuffer(format COMPRESSION_FORMAT_LZNT1): image…and writes into suspened process: image


There is one interesting anti-debug trick, at the start it saves PEB and adds BeingDebug value [PEB+2] at different places, outside of a debugger this value is 0 and adding 0don’t causes any error, but if we try to add 1 (which is the value of [PEB+2] if the executable is inside a debugger) it may cause error. In this case RtlDecompressBuffer returns 0xC0000242(STATUS_BAD_COMPRESSION_BUFFER) error.

[eax+2] is the value of BeingDebugimage


imageWe can use ScyllaHide plugin for IDA to defeat this anti-debug method.

Back to our analysis, after decompress it calls NtSetContextThread, value of EIP is 401265imageResumes thread and exits: image

Before NtResumeProcess call attach x32dbg to child process and set EIP to 401265image

Close IDA and start analyzing of the child process.

Tries to read uttE047.tmp file from %TEMP% directory without success: image

Creates one and writes location of the executable: image

Inside of uttE047.tmp file:


Copies executale to %TEMP% directory as utilview.exeimage

…and creates as new process: image

This process is exactly same as the first process, creates a new process and injects decoded and decompressed code.

Let’s reverse last part (injected code) a little bit higher level.

Now we are here: sample.exe -> sample.exe -> utilview.exe -> utilview.exe

The injected code is also same as before it checks uttE047.tmpfile, but this time there is uttE047.tmp in %TEMP% directory and malware goes a different direction, reads the content of uttE047.tmp, which is the location of the executable and removes that executable: image

After this it gets IP of the victim using checkip.dyndns.comimage

Also, there is a typo in user-agent string: image

and parses IP from returned file: image

It tries to download questd.pdf from https://penangstreetfood.net/wp-content/uploads/questd.pdf and https://yumproject.com/wp-content/uploads/2014/11/questd.pdf without success. image

Sends GET requests to with client related information, last string derives from victim’s IP address, Bis instead of . image

That’s all… Upatre’s main function is to download malicious files.

I know, I overlook many things related to Upatre, due to my limited knowledge, if you find something interesting please contact me.