MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Downloader.Upatre


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1
SHA3-384 hash: a28340a10dc986ad7b4f9e94fe1f294466ddf9add65c8d8a8caeff9a64d1ede36bfefb0e0a826fded85e637f08604ce4
SHA1 hash: d7ee77cb161487299d00f9848fc48dcade62af39
MD5 hash: 98b6fa08dcf95ec46c0a8207c09dba99
humanhash: four-neptune-seventeen-may
File name:98b6fa08dcf95ec46c0a8207c09dba99.exe
Download: download sample
Signature Downloader.Upatre
Create hunting rule
File size:157'696 bytes
First seen:2021-08-03 07:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e44fb8625920664349d927b39e5614c8 (1 x Downloader.Upatre)
ssdeep 3072:iz8qB8b+YWRzy5TYW+xj2Q5C2APy1LofKkG11JcwQe9uJ21tXDfh:iz8Tb+JRzy5T2jB0PPy1LaXG116k9ukx
Threatray 276 similar samples on MalwareBazaar
TLSH T104F3294773E820F9E0B6973889B24645E7B67C715771878F0760366E2F336919E38B22
Reporter abuse_ch
Tags:Downloader.Upatre exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85d8c.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 04:54:40 UTC
Tags:
evasion trojan rat redline loader phishing stealer vidar
Link:
https://app.any.run/tasks/cfa9e3dd-71c3-4160-a1d2-32b2a5085a35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175956/
Detection(s):
Win.Downloader.Upatre-9880459-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Sending a TCP request to an infection source
Query of malicious DNS domain
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/be6c487e-617e-4a92-96e3-6edbd96b2d9d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/825944
Signature
Antivirus detection for URL or domain
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1/
Threat name:
Win64.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 07:41:04 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0c558e46be077b56cff9ba38512a8a11784b7c29f122ead8d80e4521aa10b8e8
Downloader.Upatre
2e11c0fee3c9df36052fd654193e6f5f935d66619c12e5b7ffabf926c20f3389
Downloader.Upatre
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
Downloader.Upatre
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
Downloader.Upatre
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
Downloader.Upatre
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
Downloader.Upatre
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
Downloader.Upatre
+ 266 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/210803-mx6tljjezn/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Registers COM server for autorun
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Unpacked files
SH256 hash:
149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1
MD5 hash:
98b6fa08dcf95ec46c0a8207c09dba99
SHA1 hash:
d7ee77cb161487299d00f9848fc48dcade62af39
Link:
https://www.unpac.me/results/f295fd67-71c3-4ff3-a890-4aa834adbc47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Downloader.Upatre

Executable exe 149a7fc0c6ef3d691f87305d44d5877bc6042a6913280178b23b9245576d42a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453974/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175956/

Comments