MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Downloader.Upatre


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f
SHA3-384 hash: c3120390e7fb5f5303eb545cb5caff8b16c9f994bc5eeb7b65fa0643e7a80d4bb86035383e01dc6cc33c90730af46657
SHA1 hash: 4f2b7d3df800b97bda3b3bb303b85b30bda99180
MD5 hash: e9f323a2cf1fff2fd364f6bb8f7764d7
humanhash: zebra-high-georgia-don
File name:e9f323a2cf1fff2fd364f6bb8f7764d7.exe
Download: download sample
Signature Downloader.Upatre
Create hunting rule
File size:245'248 bytes
First seen:2021-07-25 06:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 11525613f6414fd0e2667f9ac72fe9d2 (1 x Downloader.Upatre)
ssdeep 3072:Ak4OU3kjmwE/eGW3+9AmDRyazjQaKGaeocarHjln37XzKWL3Zssl:AVOckAZs+emgOQGQj5Xz/L3Os
Threatray 252 similar samples on MalwareBazaar
TLSH T17534D30272503AA4E2E64735F803D7509E717F270760925F92227EF93E3A3D35D2B62A
dhash icon f0ccae8a9e96cce8 (2 x Downloader.Upatre, 1 x PrivateLoader)
Reporter abuse_ch
Tags:Downloader.Upatre exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e9f323a2cf1fff2fd364f6bb8f7764d7.exe
Verdict:
No threats detected
Analysis date:
2021-07-25 06:26:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ed3a318-288c-4fe9-a6c9-9ea0f9b11031

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173977/
Detection(s):
Win.Downloader.Upatre-9880459-0
Create hunting rule

Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca137357-ecb8-4725-8792-ebf5e6cc15aa
Result
Threat name:
Backstage Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/821425
Signature
Antivirus detection for URL or domain
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 06:26:09 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc
Downloader.Upatre
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
Downloader.Upatre
1ced01c2c4455606d8ed1eda83bd1507785d4c97fc8c7967bda90cd91ba82e32
Downloader.Upatre
21aad53d28c5415465bef9cd7b36d0d4708f22b57d77f7d6aca5e2de371c1bb5
Downloader.Upatre
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c13574545
Downloader.Upatre
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
Downloader.Upatre
844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
Downloader.Upatre
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
Downloader.Upatre
dbe10036d4c3b406a2396da6c87062803b44ff5fa3b29bc08222d818e5b99108
Downloader.Upatre
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
Downloader.Upatre
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210725-1wcfxnacq6/
Behaviour
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Unpacked files
SH256 hash:
0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f
MD5 hash:
e9f323a2cf1fff2fd364f6bb8f7764d7
SHA1 hash:
4f2b7d3df800b97bda3b3bb303b85b30bda99180
Link:
https://www.unpac.me/results/3136c41b-d80c-4d95-a3af-ea969cbdf9a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Downloader.Upatre

Executable exe 0cff428e9607d1819a4da397dafba7380734315daaace0ea129144755cc5706f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453974/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173977/

Comments