Collection of Upatre Samples ( alpha version)

Legend

md5
The md5 sum of the malware as downloaded from the source. This entry links to the details for the samples, including the complete list of delivery urls and information about the downloaded payload (if still online at the time).
date
The time the malware was scanned on malwr.com or virustotal.
exe
The name of the executable after being copied to the Windows temp folder.
tempfile
The name of the temporary file inside the Windows temp folder. Not all samples use a temporary file.
c2
The IP of the C2 server for callbacks.
pdir
The root directory of C2 callbacks callbacks.
cip
The service used to determine the public facing IP of the infected client.
  • ICZ stands for icanhazip.com
  • DYN stands for checkip.dyndns.org.
#ds
Number of delivery sites
(in brackets: number of active sites, i.e., delivering valid payload when checked).
port
The lowest of the four potential ports used to contact the payload delivery sites.
fmt
Format of the payload.
  • reg: The regular payload format with unpacking stub.
  • sim: The simplified payload format without unpacking stub and without check key.
dec key
The decryption key.
chk key
The check key. Only the regular payload format uses a check key.
ksa
The algorithm to modify the decryption key:
  • dec, decremental: k ← k - 1
  • dec2, double decremental: k ← k - 2
  • inc, incremental: k ← k + 1
  • rol, left rotating: k ← rol(k)
  • chk, check key based: k ← k + ck, with ck being the check key
The algorithm is only determined if valid payload could be downloaded.

Example

md5 date exe tempfile c2 pdir cip #ds port fmt dec key chk key ksa
57ccc167257357a5ef0782b47eae7e402015-09-05 11:09plusidup.exeID37E3.tmp93.185.4.90LE3ICZ50 (18)9587reg3e312c4500047040chk