Home / malware TrojanDownloader:Win32/Upatre.BE
First posted on 08 May 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Upatre.BE.
Explanation :
Threat behavior
Installation
This threat can install a copy of itself to the Windows temporary folder using different filenames. For example:
- %TEMP%\
.exe (such as, obeches.exe)
Payload
Downloads malware or unwanted software
This threat can download other malware and unwanted software onto your PC by connecting to the following URL (but not limited to):
- hxxps://62.16.54.127/tis24.pdf
- hxxps://78.157.227.34/tis24.pdf
- hxxps://81.163.87.7/tis24.pdf
- hxxps://83.222.73.9/tis24.pdf
- hxxps://176.106.122.31/tis24.pdf
- hxxps://188.123.37.229/tis24.pdf
- hxxps://188.123.54.111/tis24.pdf
- hxxps://194.190.1.64/tis24.pdf
The downloaded malware is an encrypted blob. The decrypted file is a malware that we detect as Win32/Evotob (similar to TrojanDropper:Win32/Evotob.A) which is a tampering malware. This component also drops a malware family that we detect as Win32/Dyzap.
Analysis by Patrick Estavillo
Symptoms
The following can indicate that you have this threat on your PC:
- You see a file similar to:
- %TEMP% \obeches.exe
- Your PC connects to the following URL:
- hxxps://62.16.54.127/tis24.pdf
- hxxps://78.157.227.34/tis24.pdf
- hxxps://81.163.87.7/tis24.pdf
- hxxps://83.222.73.9/tis24.pdf
- hxxps://176.106.122.31/tis24.pdf
- hxxps://188.123.37.229/tis24.pdf
- hxxps://188.123.54.111/tis24.pdf
- hxxps://194.190.1.64/tis24.pdf
Last update 08 May 2015
