MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Downloader.Upatre


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA3-384 hash: 5aa565cb801573fe4573fa786f97d923b2d6d2ed43cbb7c716bf66e2323398ff2686c534f828405f80dd5255283b51fc
SHA1 hash: 707088977b09835d2407f91f4f6dbe4a4c8f2fff
MD5 hash: 9499dac59e041d057327078ccada8329
humanhash: october-seven-cola-beer
File name:9499dac59e041d057327078ccada8329
Download: download sample
Signature Downloader.Upatre
Create hunting rule
File size:922'112 bytes
First seen:2021-08-09 03:23:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 045715ac29c84a0e47dab339e337bc06 (10 x Downloader.Upatre)
ssdeep 12288:jx1vJgpzeLkTqhqeEmC7QOSaeeei7fqiHf:H+zIkTgqeEVQOfeess
Threatray 292 similar samples on MalwareBazaar
TLSH T1CE15AE4BF36042FAD06F513089CBC677E7B076A91A35A72F4290D9DD2F339126F1AA11
dhash icon c4d4dcdcdcdcdcd4 (10 x Downloader.Upatre, 1 x Quakbot, 1 x HelloKitty)
Reporter zbetcheckin
Tags:Downloader.Upatre exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main-setup-v2.3.exe
Verdict:
Malicious activity
Analysis date:
2021-08-07 22:07:44 UTC
Tags:
trojan evasion stealer vidar rat redline loader opendir phishing
Link:
https://app.any.run/tasks/5b1c4b14-8bf2-4931-a2c8-18f052456c42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177345/
Detection(s):
Win.Downloader.Upatre-9880459-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ce003b69-51b2-4e54-947e-40d665336173
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/828938
Signature
Antivirus detection for URL or domain
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9/
Threat name:
Win64.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 20:03:47 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
26e94627a3abe752072319b8eca4f68029a27090f89de5b92d4f700fc0f4f0b2
Downloader.Upatre
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
Downloader.Upatre
3d93d1e45579a47c3a3425fd16319c5a004396a2d98b7cf170ed009dad29c247
Downloader.Upatre
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
Downloader.Upatre
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
Downloader.Upatre
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
Downloader.Upatre
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
Downloader.Upatre
f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c
Downloader.Upatre
+ 282 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210809-2tb3r3t7v2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Unpacked files
SH256 hash:
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
MD5 hash:
9499dac59e041d057327078ccada8329
SHA1 hash:
707088977b09835d2407f91f4f6dbe4a4c8f2fff
Link:
https://www.unpac.me/results/c827591b-1f4f-4189-a9d5-a21f7614586c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Downloader.Upatre

Executable exe ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1453974/
Cape
Cape
https://www.capesandbox.com/analysis/177345/

Comments


Avatar
zbet commented on 2021-08-09 03:23:18 UTC

url : hxxp://i.spesgrt.com/lqosko/p18j/customer3.exe