Home / malware TrojanDownloader:Win32/Upatre.AZ
First posted on 21 July 2019.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Upatre.AZ is also known as Trojan-Downloader.Win32.Upatre.vkz, Downloader-FSH!12077BBE60D8, Troj/Dyreza-EJ, Downloader.Upatre, TROJ_UPATRE.YYSHS.
Explanation :
Installation This threat gets onto your PC if you open attachments for certain spam emails. The screenshots below shows how the spam might look like: We have seen this threat use the following file names in the spam email attachments: American_Wholesale.zip atlas invoice.zip Citi Merchant Services statements - 01882803-1256.zip Doc.zip foto.zip IMG.zip IncomingFax.zip invoice.zip JP Morgan Access - Secure.zip my foto.zip Pictures.zip Retailer Statement for 2524500.zip SecureFile.zip Secure_Message.zip
This threat creates the following files on your PC:
%TEMP%.exe
For example: %TEMP%mstools.exe, where.exe file is hard-coded inside the malware file.
We have seen this threat use the following executable file names:
acadinst.exe acadview.exe docviewer.exe invoice.exe iobit.exe wtools.exe Payload
Downloads updates or other malware and unwanted software
This threat can download updates or other malware and unwanted software onto your PC. We have seen that PWS:Win32/Dyzap is one of its payloads.
The threat downloads an encrypted blob, and saves it using a hard-coded file name.
We have seen this threat use the following hard-coded file names:
acd54a.log doc47fa.txt docda6b.txt inste264.txt io4089.txt wt5157.txt
The decrypted blob is another binary. It is saved in the %TEMP% folder, and has a random file name (for example, %TEMP%qkwryle32.exe). Then, the malware runs it.
Connects to remote hosts
We have also observed that this variant connects to the following domains:
134.249.63.46 194.28.190.167 195.3.157.218 46.151.48.173 91.232.157.139 93.123.40.17 delatorreabogados.com dollyguleria.com domainregistrationthailand.com grandturkscuba.com luciachocolat.com muevetuenergia.es
Analysis by Allan SepilloLast update 21 July 2019