Home / malwarePDF  


First posted on 21 July 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Upatre.AZ is also known as Trojan-Downloader.Win32.Upatre.vkz, Downloader-FSH!12077BBE60D8, Troj/Dyreza-EJ, Downloader.Upatre, TROJ_UPATRE.YYSHS.

Explanation :

Installation This threat gets onto your PC if you open attachments for certain spam emails. The screenshots below shows how the spam might look like:           We have seen this threat use the following file names in the spam email attachments:  American_Wholesale.zip atlas invoice.zip Citi Merchant Services statements - 01882803-1256.zip Doc.zip foto.zip IMG.zip IncomingFax.zip invoice.zip JP Morgan Access - Secure.zip my foto.zip Pictures.zip Retailer Statement for 2524500.zip SecureFile.zip Secure_Message.zip

This threat creates the following files on your PC:

%TEMP% .exe

For example: %TEMP%mstools.exe, where .exe file is hard-coded inside the malware file.

We have seen this threat use the following executable file names:

acadinst.exe acadview.exe docviewer.exe invoice.exe iobit.exe wtools.exe Payload

Downloads updates or other malware and unwanted software

This threat can download updates or other malware and unwanted software onto your PC. We have seen that PWS:Win32/Dyzap is one of its payloads. 

The threat downloads an encrypted blob, and saves it using a hard-coded file name.

We have seen this threat use the following hard-coded file names:

acd54a.log doc47fa.txt docda6b.txt inste264.txt io4089.txt wt5157.txt

The decrypted blob is another binary. It is saved in the %TEMP% folder, and has a random file name (for example, %TEMP%qkwryle32.exe). Then, the malware runs it.

Connects to remote hosts

We have also observed that this variant connects to the following domains: delatorreabogados.com dollyguleria.com domainregistrationthailand.com grandturkscuba.com luciachocolat.com muevetuenergia.es


Analysis by Allan Sepillo

Last update 21 July 2019