Edit tour
Windows
Analysis Report
v6DLIositV.exe
Overview
General Information
Detection
Upatre
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Yara detected Upatre
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Drops PE files
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- v6DLIositV.exe (PID: 2952 cmdline:
C:\Users\u ser\Deskto p\v6DLIosi tV.exe MD5: 9DE48E7CFC2BC56631387E527F859EFD) - hurok.exe (PID: 5104 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\hurok. exe" MD5: 9313C9760ABEE035167EC3A7CC743EB2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Upatre | Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015. | No Attribution |
{"C2 urls": "gemlttwi.com/tech/2mr.exe"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security | ||
JoeSecurity_Upatre | Yara detected Upatre | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.4192.185.35.56496964432017726 02/17/23-06:19:57.094300 |
SID: | 2017726 |
Source Port: | 49696 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Snort IDS: |
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 0_2_00401020 |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |