Home / malware

PDF

TrojanDownloader:Win32/Upatre.BE

First posted on 08 May 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Upatre.BE.

Explanation :

Threat behavior

Installation
This threat can install a copy of itself to the Windows temporary folder using different filenames. For example:

• %TEMP%\.exe (such as, obeches.exe)

Payload


Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC by connecting to the following URL (but not limited to):

• hxxps://62.16.54.127/tis24.pdf
• hxxps://78.157.227.34/tis24.pdf
• hxxps://81.163.87.7/tis24.pdf
• hxxps://83.222.73.9/tis24.pdf
• hxxps://176.106.122.31/tis24.pdf
• hxxps://188.123.37.229/tis24.pdf
• hxxps://188.123.54.111/tis24.pdf
• hxxps://194.190.1.64/tis24.pdf

The downloaded malware is an encrypted blob. The decrypted file is a malware that we detect as Win32/Evotob (similar to TrojanDropper:Win32/Evotob.A) which is a tampering malware. This component also drops a malware family that we detect as Win32/Dyzap.



Analysis by Patrick Estavillo

Symptoms

The following can indicate that you have this threat on your PC:

• You see a file similar to:
• %TEMP% \obeches.exe
• Your PC connects to the following URL:
• hxxps://62.16.54.127/tis24.pdf
• hxxps://78.157.227.34/tis24.pdf
• hxxps://81.163.87.7/tis24.pdf
• hxxps://83.222.73.9/tis24.pdf
• hxxps://176.106.122.31/tis24.pdf
• hxxps://188.123.37.229/tis24.pdf
• hxxps://188.123.54.111/tis24.pdf
• hxxps://194.190.1.64/tis24.pdf

Last update 08 May 2015

 

TOP