cover image for post 'Win32/Upatre.BI - Part Two'

Win32/Upatre.BI - Part Two

This is the second part of the four-part series on "Win32/Upatre.BI". Check out the other parts here:

The first blog post of the series on Upatre showed how to unpack the malware. You can download the unpacked sample from if you like to retrace my reversing steps.

This second part focuses on the configuration of Upatre. The first section presents the format of the data structures used to store configuration details, such as

  • the executable name
  • the C2 address, port, and root directory
  • the urls that host the (encrypted) malware downloads
  • the keys to decrypt and validate the downloaded content

The second section then employs a small IDA script to extract and format the configuration information of ten samples (including the unpacked one). All analysed samples use the same configuration format, but they use it in slightly different ways. For example, all Upatre samples decrypt downloaded content with a key from the configuration file, but the key-scheduling algorithm might be different. I list the differences in the overview, but elaborate on the details in the upcoming blog post on Upatre.

Format of Upatre’s Configuration


As mentioned in part one, the unpacked code is position independent. All functions and global variable are accessed by a global offset table. This offset table is located at the start of the .text section. Upatre gets the absolute address of the offset table by rounding down the EIP — which it obtains by a fake call — to the page boundary. It then adds the six offsets (stored as WORDs) to the base address to obtain a table of absolute addresses:

.text:0040127A                 call    $+5
.text:0040127F                 pop     eax
.text:00401280                 sub     esp, 64h
.text:00401283                 mov     ebp, esp
.text:00401285                 and     ax, 0F000h
.text:00401289                 add     esp, 0FFFFFF7Ch
.text:0040128F                 push    6
.text:00401291                 pop     ecx
.text:00401292                 push    eax
.text:00401293                 lea     eax, [ebp+64h+global_address_table]
.text:00401296                 pop     esi
.text:00401297                 mov     edi, eax
.text:00401299                 mov     ebx, esi
.text:0040129B loc_40129B:                       
.text:0040129B                 xor     eax, eax
.text:0040129D                 lodsw
.text:0040129F                 add     eax, ebx
.text:004012A1                 stosd
.text:004012A2                 loop    loc_40129B

The following table shows the six entries of the offset table. The address column shows the resulting absolute address given the .text section starts at 0x401000:


The first row points to the configuration data. The routines fetch_and_advance, get_decrypted_strings and get_field_of_target are stubs to access the data structures. Half of the decrypt_strings_and_get_os_infos routine, namely the decryption part, is discussed in this post, the remaining half, as well as the routine send_user_infos, follow in the third part.

Upatre uses one large structure as its configuration — referenced by the first entry of the global offset table. The config information is read inside decrypt_strings_and_get_os_infos which reveals most of the format. The following illustration shows an overview of the config data structure with example values from the examined sample:


The first two bytes of the config denote the lowest port address used in C2 communications. Each time the port referenced a random number of up to 3 is added, which results in a port range of four ports:

.text:00401786 FF 93 00 11 00 00       call    [ebx+imports.GetTickCount]
.text:0040178C 83 E0 03                and     eax, 3
.text:0040178F 03 45 C8                add     eax, [ebp+64h+port]

(Encrypted) Strings

Starting at offset 0x2 the config contains a list of strings. Each string is zero-terminated. For example:

36 60 36 60 00 36 60 4F  36 60 00 7C 63 76 7D 00

Some samples store the strings in plaintext; my sample used the XOR key 0x13 to obfuscate the strings. The strings are first decrypted — if necessary — and then stored as Unicode in a newly allocated sections. The above list of encrypted strings, for instance, becomes:

25 00 73 00 25 00 73 00  00 00 25 00 73 00 5C 00  %.s.%.s...%.s.\.
25 00 73 00 00 00 6F 00  70 00 65 00 6E 00 00 00  %.s...o.p.e.n...

which represents the strings "%s%s", "%s%s" and “open”. Upatre also stores the pointers to the decrypted string in an array of pointers:

02854FE0 dd offset aSS                           ; *%s%s*
02854FE4 dd offset aSS_0                         ; *%s\\%s*
02854FE8 dd offset aOpen                         ; *open*

The list of strings is terminated by byte 0x01, which is neither a printable ASCII character itself, nor decrypts to one. All above steps are performed by the following snippet.

.text:00401034     next_string:                        
.text:00401034     mov     [ebx], edi
.text:00401036     add     ebx, 4
.text:00401039     next_letter:                       
.text:00401039     lodsb
.text:0040103A     cmp     al, 1
.text:0040103C     jz      short all_strings_done     
.text:0040103E     test    al, al
.text:00401040     jz      short loc_401044
.text:00401042     xor     al, 13h
.text:00401044     loc_401044:                       
.text:00401044     stosw
.text:00401046     inc     ecx
.text:00401047     test    al, al
.text:00401049     jnz     short next_letter
.text:0040104B     jmp     short next_string
.text:0040104D     ; ----------------------------------------

The following helper subroutine is used to get a decrypted string by an index passed in ecx:

.text:00401138 ; ecx = index
.text:00401138 ; Attributes: bp-based frame
.text:00401138 get_decrypted_string_by_index proc near
.text:00401138 decrypted_strings= dword ptr  60h
.text:00401138 mov     eax, [ebp+decrypted_strings]
.text:0040113B mov     eax, [eax+ecx*4]
.text:0040113E retn
.text:0040113E get_decrypted_string_by_index

Some of the strings have a predefined purpose:

3text/*first accept-type of the downloads
4application/*second accept-type of the downloads
6Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0user-agent
7wevadez.exeexe name of Upatre
8LogE83.tmptemp file used to store downloaded content

The remaining strings are dull (like the format string %s%s), or referenced by the targets which are discussed later.

Decryption Keys

Upatre is mainly a downloader for other malware. The downloaded content, as will be shown in the fourth part of this blog series, is encrypted with a four byte key. The keys are stored in a variable sized array, with the number of elements indicated by one byte at the start of the array. For example, my samples stores one key:

.rdata:004025D9 db    1
.rdata:004025DA dd 3CB1A338h

Check Keys

Upatre also validates the decrypted downloads by comparing four bytes of the download to a second key. These keys are again stored in a variable sized array following the decryption keys, for example:

.rdata:004025DE db    1
.rdata:004025DF dd 6B5519C2h

Edit June 17, 2015: Some Upatre samples have no check keys. They use a simplified payload format, see the fourth part of this blog series.

Network Targets

After the two key arrays follows another array which contains information about the network targets. Each network target — except for the C2 server address — is represented by a 7 byte data structure (Edit: older samples use 6 bytes per target). Again a one byte value at the start denotes the size of the array, for example:

.rdata:004025E3  db  11h
.rdata:004025E4  target <2Dh, 0Bh, 0Ch, 0, 0, 0Ah, 0>
.rdata:004025EB  target <2Dh, 0Dh, 0Eh, 0, 0, 0Ah, 0>
.rdata:004025F2  target <2Dh, 0Fh, 10h, 0, 0, 0Ah, 0>
.rdata:004025F9  target <2Dh, 11h, 12h, 0, 0, 0Ah, 0>
.rdata:00402600  target <2Dh, 13h, 14h, 0, 0, 0Ah, 0>

Upatre uses the following slim subroutine to access fields of a specific target:

.text:0040113F get_field_of_target
.text:0040113F targets= dword ptr -80h
.text:0040113F var_1C= dword ptr -1Ch
.text:0040113F movzx   ecx, ah
.text:00401142 xor     ah, ah
.text:00401144 add     ecx, [ebp+64h+targets]
.text:00401147 mov     eax, [ecx+eax*8]
.text:0040114A xor     ecx, ecx
.text:0040114C retn
.text:0040114C get_field_of_target

The subroutine has two arguments: the target number passed in register al, and the desired field in ah. The subroutine returns four consecutive fields in register eax. Of this return value sometimes al is used, in this case argument ah corresponds to the retrieved field index. In other cases ah is accessed, which means for argument ah the field ah + 1 is accessed. By looking at all calls to the get_field_of_target-subroutine, one can quickly find out the purpose of most fields.

1st Field - C2 root directory

The first field of a target is needed when the target is used as C2 callback, i.e., as a receiver for user information. In those cases the first value of the first field serves as the index into the array of decrypted strings:

.text:00401158 mov     edi, [ebp+64h+path]
.text:0040115B push    '/'
.text:0040115D pop     eax
.text:0040115E stosw
.text:00401160 mov     eax, [ebp+64h+ip_nr]
.text:00401163 call    [ebp+64h+get_field_of_target]
.text:00401166 movzx   ecx, al
.text:00401169 call    [ebp+64h+get_decrypted_strings]
(string is copied to path)

The referenced string is used as the root directory of HTTP GET requests to the C2 host (the details follow in the third part of this blog series).

2nd Field - Server Name

Here is an example where a target’s second field is referenced:

.text:0040163B mov     eax, ecx        ; tar_nr
.text:0040163D call    [ebp+64h+get_field_of_target]
.text:00401640 mov     cl, ah
.text:00401642 call    [ebp+64h+get_decrypted_string_by_index]
.text:00401645 push    eax
.text:00401646 push    [ebp+64h+hInternetOpenHandle]
.text:00401649 call    [ebx+imports.InternetConnectW]

The resulting value is used to fetch a decrypted string, which in turn is then used as the server name for the InternetConnectW call. The field can also be -1, in these cases the target is skipped:

.text:004015A4 check_target_index:
.text:004015A4 mov     [ebp+64h+tar_nr], eax
.text:004015A7 call    [ebp+64h+get_field_of_target]
.text:004015AA inc     ah
.text:004015AC jz      short next_ip

3rd Field - Download Path

The following snippet first reads the third field of a target.

.text:0040167E mov     ah, 1
.text:00401680 call    [ebp+64h+get_field_of_target]
.text:00401683 mov     cl, ah
.text:00401685 call    [ebp+64h+get_decrypted_string_by_index]
.text:00401688 push    eax
.text:00401689 push    esi
.text:0040168A push    edi
.text:0040168B call    [ebx+imports.HttpOpenRequestW]

The field value is used to reference a decrypted string, which is used as the target of the HttpOpenRequestW call. The third field denotes the url path for the second stage downloads.

4rd Field - Key Index

The fourth field of a target is read in the following snippet. It is used as index into the download keys array:

.text:0040180B mov     eax, [ebp+64h+tar_nr]
.text:0040180E mov     ah, 2
.text:00401810 call    [ebp+64h+get_field_of_target]
.text:00401813 mov     cl, ah
.text:00401815 shl     ecx, 2
.text:00401818 mov     eax, [ebp+64h+download_keys]

In a similar call, the same field is used to index the check keys:

.text:00401857 mov     eax, [ebp+64h+tar_nr]
.text:0040185A inc     ah
.text:0040185C inc     ah
.text:0040185E call    [ebp+64h+get_field_of_target]
.text:00401861 mov     cl, ah
.text:00401863 shl     ecx, 2
.text:00401866 mov     eax, [ebp+64h+check_keys]

6th Field - Another Exe Filename

The sixth fields points to a decrypted exe filename. This filename is not used in the my samples — maybe the filename is used by the downloaded payload (which I didn’t analyse).

Purpose of Targets

The first entry in the targets list has a special meaning for all except one sample: it is used to determine the IP address of the victim. All samples with client IP detection used the website. The remaining targets are used to host the second stage malware.

Observed Config Files

Edit: Added three more samples (June 17th, 2015). This section shows the config files of 10 different samples. The config files were read with the following IDA Pro script:

def print_row(a, b, c=""):
    print("{:<15} | {:<40} | {}".format(a, b, c))

def get_keys(ea):
    keys = []
    nr_keys = Byte(ea)
    ea += 1
    for i in range(nr_keys):
        keys.append(Dword(ea)); ea += 4

    return keys, ea

def print_keys(keys, type_):
    keys_str = ", ".join(["{:08x}".format(k) for k in keys])
    s = "s" if len(keys) > 1 else ""
    print_row("{} {} key{}".format(len(keys), type_, s),  keys_str)

def get_target_info(target, strings):
    id_ = strings[target[0]]
    url = "{}{}".format(strings[target[1]], strings[target[2]])
    file_ = strings[target[5]]
    return url, id_, file_

print_row("field", "value", "comment")
print_row("---", "---", "---")

ea = ScreenEA()
enc = AskYN(1, "are the string encrypted?")

# port
port = Word(ea); ea += 2

# strings 
strings = []
s = ""
while Byte(ea) != 1:
    b = Byte(ea)
    if b and enc:
        b ^= 0x13
    if not b:
        s = ""
        s += chr(b)
    ea += 1

# string infos
print_row("port", port, "range {0}-{1}".format(port, port+3))
print_row("accept-type", "{}, {}".format(strings[3], strings[4]))
print_row("user-agent", strings[6])
print_row("malware name", strings[7],  "in %Temp% folder")
print_row("temp file", strings[8], "in %Temp% folder")

#  keys
ea += 1
dec_keys, ea = get_keys(ea)
print_keys(dec_keys, "decryption")
check_keys, ea = get_keys(ea)
print_keys(check_keys, "check")

# C2 server
print_row("C2 server", strings[9])

# targets
nr_targets = Byte(ea); ea += 1
print_row("nr of targets", "{}".format(nr_targets))
for k in range(nr_targets):
    target = []
    for l in range(7):
        target.append(Byte(ea)); ea += 1
    url, id_, file_= get_target_info(target, strings)
    if k == 0:
        usage = "client ip"
        url = "http://" + url
        extra = ""
        usage = "download {}".format(k)
        url = "https://" + url
        extra = "id = {}, file = {}".format(id_, file_)

    print_row(usage, url, extra) 

All samples were obtained from and are shared by the uploader. I use the first eight letters of the hex representation of the MD5 sum as identifier. For each samples I also list the following:

  • whether or not the strings are encrypted
  • whether the first target is used to determine the client’s IP
  • which key-scheduling instruction is used to decrypt downloads. The decryption algorithm is shown in the fourth and last part of this series.

The values after id = denote the root directory used in C2 callbacks. The value after file = is the executable name presumably used by second stage payloads.

Sample 0x7347d213

(This is the sample from this blog post). Sample information:

string encryption
client ip
key scheduling


port13380range 13380-13383
accept-typetext/*, application/*
user-agentMozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
malware namewevadez.exein %Temp% folder
temp fileLogE83.tmpin %Temp% folder
decryption key3cb1a338
check key6b5519c2
C2 server91.211.17.201
nr of targets17
client ip
download 1https:// = PS21, file = hV.exe
download 2https:// = PS21, file = hV.exe
download 3https:// = PS21, file = hV.exe
download 4https:// = PS21, file = hV.exe
download 5https:// = PS21, file = hV.exe
download 6https:// = PS21, file = hV.exe
download 7https:// = PS21, file = hV.exe
download 8https:// = PS21, file = hV.exe
download 9https:// = PS21, file = hV.exe
download 10https:// = PS21, file = hV.exe
download 11https:// = PS21, file = hV.exe
download 12https:// = PS21, file = hV.exe
download 13https:// = PS21, file = hV.exe
download 14https:// = PS21, file = hV.exe
download 15https:// = PS21, file = hV.exe
download 16https:// = PS21, file = hV.exe

Sample 0xbda3abd2

Sample information:

string encryption
client ip
key scheduling


port13068range 13068-13071
accept-typetext/*, application/*
user-agentMozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
malware namePisynika.exein %Temp% folder
temp filePSC352.tmpin %Temp% folder
decryption key523ea087
check key2b2f8604
C2 server188.120.194.101
nr of targets21
client ip
download 1https:// = NA, file = AW0.exe
download 2https:// = NA, file = AW0.exe
download 3https:// = NA, file = AW0.exe
download 4https:// = NA, file = AW0.exe
download 5https:// = NA, file = AW0.exe
download 6https:// = NA, file = AW0.exe
download 7https:// = NA, file = AW0.exe
download 8https:// = NA, file = AW0.exe
download 9https:// = NA, file = AW0.exe
download 10https:// = NA, file = AW0.exe
download 11https:// = NA, file = AW0.exe
download 12https:// = NA, file = AW0.exe
download 13https:// = NA, file = AW0.exe
download 14https:// = NA, file = AW0.exe
download 15https:// = NA, file = AW0.exe
download 16https:// = NA, file = AW0.exe
download 17https:// = NA, file = AW0.exe
download 18https:// = NA, file = AW0.exe
download 19https:// = NA, file = AW0.exe
download 20https:// = NA, file = AW0.exe

Sample 0x95e79d9a

Sample information:

string encryption
client ip
key scheduling


port13176range 13176-13179
accept-typetext/, application/
user-agentMozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
malware namenyupodyt.exein %Temp% folder
temp file~DR7892.txtin %Temp% folder
decryption key71a588f1
check key4e1a87a9
C2 server93.185.4.90
nr of targets16
client ip = KTA12, file = pBQ.exe
download 1https:// = KTA12, file = pBQ.exe
download 2https:// = KTA12, file = pBQ.exe
download 3https:// = KTA12, file = pBQ.exe
download 4https:// = KTA12, file = pBQ.exe
download 5https:// = KTA12, file = pBQ.exe
download 6https:// = KTA12, file = pBQ.exe
download 7https:// = KTA12, file = pBQ.exe
download 8https:// = KTA12, file = pBQ.exe
download 9https:// = KTA12, file = pBQ.exe
download 10https:// = KTA12, file = pBQ.exe
download 11https:// = KTA12, file = pBQ.exe
download 12https:// = KTA12, file = pBQ.exe
download 13https:// = KTA12, file = pBQ.exe
download 14https:// = KTA12, file = pBQ.exe
download 15https:// = KTA12, file = pBQ.exe

Sample 0x457f0283

Sample information:

string encryption
client ip
key scheduling


port13068range 13068-13071
accept-typetext/*, application/*
user-agentMozilla/5.0 (Windows NT 6.1) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/42.0.2357.81 Safari/536.36
malware nameuticopfull.exein %Temp% folder
temp fileUticopSetup.login %Temp% folder
decryption key2B415B20
check key64FDFF57
C2 server188.120.194.101
nr of targets16
client ip
download 1216.51.193.145/taser4.pngid = SALE4, file = xD8.exe
download = SALE4, file = xD8.exe
download 368.70.242.203/taser4.pngid = SALE4, file = xD8.exe
download 466.215.30.118/taser4.pngid = SALE4, file = xD8.exe
download 5107.161.207.151/taser4.pngid = SALE4, file = xD8.exe
download 631.131.142.204/taser4.pngid = SALE4, file = xD8.exe
download 796.46.99.183/taser4.pngid = SALE4, file = xD8.exe
download 8188.255.175.252/taser4.pngid = SALE4, file = xD8.exe
download 996.46.100.49/taser4.pngid = SALE4, file = xD8.exe
download 1064.111.36.52/taser4.pngid = SALE4, file = xD8.exe
download 1138.124.74.146/taser4.pngid = SALE4, file = xD8.exe
download 1238.124.69.206/taser4.pngid = SALE4, file = xD8.exe
download 1338.124.174.66/taser4.pngid = SALE4, file = xD8.exe
download 1438.124.74.146/taser4.pngid = SALE4, file = xD8.exe
download 1538.124.174.213/taser4.pngid = SALE4, file = xD8.exe

Sample 0x105beb32

Sample information:

string encryption
client ip
key scheduling


port13100range 13100-13103
accept-typetext/*, application/*
user-agentMozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37
malware nameMivinad.exein %Temp% folder
temp fileMivi-738.login %Temp% folder
decryption key3e51cf28
check key74090789
C2 server188.120.194.101
nr of targets20
client ip
download 1https:// = AMG11, file = lL8.exe
download 2https:// = AMG11, file = lL8.exe
download 3https:// = AMG11, file = lL8.exe
download 4https:// = AMG11, file = lL8.exe
download 5https:// = AMG11, file = lL8.exe
download 6https:// = AMG11, file = lL8.exe
download 7https:// = AMG11, file = lL8.exe
download 8https:// = AMG11, file = lL8.exe
download 9https:// = AMG11, file = lL8.exe
download 10https:// = AMG11, file = lL8.exe
download 11https:// = AMG11, file = lL8.exe
download 12https:// = AMG11, file = lL8.exe
download 13https:// = AMG11, file = lL8.exe
download 14https:// = AMG11, file = lL8.exe
download 15https:// = AMG11, file = lL8.exe
download 16https:// = AMG11, file = lL8.exe
download 17https:// = AMG11, file = lL8.exe
download 18https:// = AMG11, file = lL8.exe
download 19https:// = AMG11, file = lL8.exe

Sample 0x8d00dfdc

Sample information:

string encryption
client ip
key scheduling


port13096range 13096-13099
accept-typetext/*, application/*
user-agentMozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37
malware nameGycijaba.exein %Temp% folder
temp fileGyci7EC9.txtin %Temp% folder
decryption key3e51cf28
check key74090789
C2 server188.120.194.101
nr of targets20
client ip
download 1https:// = UAM, file = Ner5.exe
download 2https:// = UAM, file = Ner5.exe
download 3https:// = UAM, file = Ner5.exe
download 4https:// = UAM, file = Ner5.exe
download 5https:// = UAM, file = Ner5.exe
download 6https:// = UAM, file = Ner5.exe
download 7https:// = UAM, file = Ner5.exe
download 8https:// = UAM, file = Ner5.exe
download 9https:// = UAM, file = Ner5.exe
download 10https:// = UAM, file = Ner5.exe
download 11https:// = UAM, file = Ner5.exe
download 12https:// = UAM, file = Ner5.exe
download 13https:// = UAM, file = Ner5.exe
download 14https:// = UAM, file = Ner5.exe
download 15https:// = UAM, file = Ner5.exe
download 16https:// = UAM, file = Ner5.exe
download 17https:// = UAM, file = Ner5.exe
download 18https:// = UAM, file = Ner5.exe
download 19https:// = UAM, file = Ner5.exe

Sample 0x98b126f5

Sample information:

string encryption
client ip
key scheduling


port41300range 41300-41303
accept-typetext/, application/
malware namemscodecs.exein %Temp% folder
temp fileauat498.tmpin %Temp% folder
decryption key33c13e3c
check key74e7fc60
C2 server202.153.35.133
nr of targets2
download 1 = 2301uk11, file = cOFrcJtt.exe
download 2 = 2301uk11, file = cOFrcJtt.exe

Sample 0x07ea0d7c

Sample information:

string encryption
client ip
key scheduling
this sample uses the simplified payload format without decryption keys and temp file name.


port13164range 13164-13167
accept-typetext/, application/
user-agentMozilla/5.0 (Windows NT 6.1) AppleWebKit/538.37 (KHTML, like Gecko) Chrome/44.0.2457.82 Safari/538.37
malware namerazacer.exein %Temp% folder
decryption key55c28387
C2 server188.120.194.101
nr of targets51
client ip = Img12, file = eprath.exe
download 1https:// = Img12, file = eprath.exe
download 2https:// = Img12, file = eprath.exe
download 3https:// = Img12, file = eprath.exe
download 4https:// = Img12, file = eprath.exe
download 5https:// = Img12, file = eprath.exe
download 6https:// = Img12, file = eprath.exe
download 7https:// = Img12, file = eprath.exe
download 8https:// = Img12, file = eprath.exe
download 9https:// = Img12, file = eprath.exe
download 10https:// = Img12, file = eprath.exe
download 11https:// = Img12, file = eprath.exe
download 12https:// = Img12, file = eprath.exe
download 13https:// = Img12, file = eprath.exe
download 14https:// = Img12, file = eprath.exe
download 15https:// = Img12, file = eprath.exe
download 16https:// = Img12, file = eprath.exe
download 17https:// = Img12, file = eprath.exe
download 18https:// = Img12, file = eprath.exe
download 19https:// = Img12, file = eprath.exe
download 20https:// = Img12, file = eprath.exe
download 21https:// = Img12, file = eprath.exe
download 22https:// = Img12, file = eprath.exe
download 23https:// = Img12, file = eprath.exe
download 24https:// = Img12, file = eprath.exe
download 25https:// = Img12, file = eprath.exe
download 26https:// = Img12, file = eprath.exe
download 27https:// = Img12, file = eprath.exe
download 28https:// = Img12, file = eprath.exe
download 29https:// = Img12, file = eprath.exe
download 30https:// = Img12, file = eprath.exe
download 31https:// = Img12, file = eprath.exe
download 32https:// = Img12, file = eprath.exe
download 33https:// = Img12, file = eprath.exe
download 34https:// = Img12, file = eprath.exe
download 35https:// = Img12, file = eprath.exe
download 36https:// = Img12, file = eprath.exe
download 37https:// = Img12, file = eprath.exe
download 38https:// = Img12, file = eprath.exe
download 39https:// = Img12, file = eprath.exe
download 40https:// = Img12, file = eprath.exe
download 41https:// = Img12, file = eprath.exe
download 42https:// = Img12, file = eprath.exe
download 43https:// = Img12, file = eprath.exe
download 44https:// = Img12, file = eprath.exe
download 45https:// = Img12, file = eprath.exe
download 46https:// = Img12, file = eprath.exe
download 47https:// = Img12, file = eprath.exe
download 48https:// = Img12, file = eprath.exe
download 49https:// = Img12, file = eprath.exe
download 50https:// = Img12, file = eprath.exe

Sample 0x7422731b

Sample information:

string encryption
client ip
key scheduling
this sample uses the simplified payload format without decryption keys and temp file name.
port13140range 13140-13143
accept-typetext/, application/
user-agentMozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
malware namebijaweed.exein %Temp% folder
decryption key27185cd3
C2 server188.120.194.101
nr of targets53
client ip = Tos21, file = uxajake.exe
download 1https:// = Tos21, file = uxajake.exe
download 2https:// = Tos21, file = uxajake.exe
download 3https:// = Tos21, file = uxajake.exe
download 4https:// = Tos21, file = uxajake.exe
download 5https:// = Tos21, file = uxajake.exe
download 6https:// = Tos21, file = uxajake.exe
download 7https:// = Tos21, file = uxajake.exe
download 8https:// = Tos21, file = uxajake.exe
download 9https:// = Tos21, file = uxajake.exe
download 10https:// = Tos21, file = uxajake.exe
download 11https:// = Tos21, file = uxajake.exe
download 12https:// = Tos21, file = uxajake.exe
download 13https:// = Tos21, file = uxajake.exe
download 14https:// = Tos21, file = uxajake.exe
download 15https:// = Tos21, file = uxajake.exe
download 16https:// = Tos21, file = uxajake.exe
download 17https:// = Tos21, file = uxajake.exe
download 18https:// = Tos21, file = uxajake.exe
download 19https:// = Tos21, file = uxajake.exe
download 20https:// = Tos21, file = uxajake.exe
download 21https:// = Tos21, file = uxajake.exe
download 22https:// = Tos21, file = uxajake.exe
download 23https:// = Tos21, file = uxajake.exe
download 24https:// = Tos21, file = uxajake.exe
download 25https:// = Tos21, file = uxajake.exe
download 26https:// = Tos21, file = uxajake.exe
download 27https:// = Tos21, file = uxajake.exe
download 28https:// = Tos21, file = uxajake.exe
download 29https:// = Tos21, file = uxajake.exe
download 30https:// = Tos21, file = uxajake.exe
download 31https:// = Tos21, file = uxajake.exe
download 32https:// = Tos21, file = uxajake.exe
download 33https:// = Tos21, file = uxajake.exe
download 34https:// = Tos21, file = uxajake.exe
download 35https:// = Tos21, file = uxajake.exe
download 36https:// = Tos21, file = uxajake.exe
download 37https:// = Tos21, file = uxajake.exe
download 38https:// = Tos21, file = uxajake.exe
download 39https:// = Tos21, file = uxajake.exe
download 40https:// = Tos21, file = uxajake.exe
download 41https:// = Tos21, file = uxajake.exe
download 42https:// = Tos21, file = uxajake.exe
download 43https:// = Tos21, file = uxajake.exe
download 44https:// = Tos21, file = uxajake.exe
download 45https:// = Tos21, file = uxajake.exe
download 46https:// = Tos21, file = uxajake.exe
download 47https:// = Tos21, file = uxajake.exe
download 48https:// = Tos21, file = uxajake.exe
download 49https:// = Tos21, file = uxajake.exe
download 50https:// = Tos21, file = uxajake.exe
download 51https:// = Tos21, file = uxajake.exe
download 52https:// = Tos21, file = uxajake.exe

Sample 0x846cb698

Sample information:

string encryption
client ip
key scheduling
port13152range 13152-13155
accept-typetext/, application/
user-agentMozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
malware namefihatyka.exein %Temp% folder
temp fileFIH_244D.login %Temp% folder
decryption key5b244d31
check key0250f3d8
C2 server188.120.194.101
nr of targets51
client ip = 211, file = QZP1.exe
download 1https:// = 211, file = QZP1.exe
download 2https:// = 211, file = QZP1.exe
download 3https:// = 211, file = QZP1.exe
download 4https:// = 211, file = QZP1.exe
download 5https:// = 211, file = QZP1.exe
download 6https:// = 211, file = QZP1.exe
download 7https:// = 211, file = QZP1.exe
download 8https:// = 211, file = QZP1.exe
download 9https:// = 211, file = QZP1.exe
download 10https:// = 211, file = QZP1.exe
download 11https:// = 211, file = QZP1.exe
download 12https:// = 211, file = QZP1.exe
download 13https:// = 211, file = QZP1.exe
download 14https:// = 211, file = QZP1.exe
download 15https:// = 211, file = QZP1.exe
download 16https:// = 211, file = QZP1.exe
download 17https:// = 211, file = QZP1.exe
download 18https:// = 211, file = QZP1.exe
download 19https:// = 211, file = QZP1.exe
download 20https:// = 211, file = QZP1.exe
download 21https:// = 211, file = QZP1.exe
download 22https:// = 211, file = QZP1.exe
download 23https:// = 211, file = QZP1.exe
download 24https:// = 211, file = QZP1.exe
download 25https:// = 211, file = QZP1.exe
download 26https:// = 211, file = QZP1.exe
download 27https:// = 211, file = QZP1.exe
download 28https:// = 211, file = QZP1.exe
download 29https:// = 211, file = QZP1.exe
download 30https:// = 211, file = QZP1.exe
download 31https:// = 211, file = QZP1.exe
download 32https:// = 211, file = QZP1.exe
download 33https:// = 211, file = QZP1.exe
download 34https:// = 211, file = QZP1.exe
download 35https:// = 211, file = QZP1.exe
download 36https:// = 211, file = QZP1.exe
download 37https:// = 211, file = QZP1.exe
download 38https:// = 211, file = QZP1.exe
download 39https:// = 211, file = QZP1.exe
download 40https:// = 211, file = QZP1.exe
download 41https:// = 211, file = QZP1.exe
download 42https:// = 211, file = QZP1.exe
download 43https:// = 211, file = QZP1.exe
download 44https:// = 211, file = QZP1.exe
download 45https:// = 211, file = QZP1.exe
download 46https:// = 211, file = QZP1.exe
download 47https:// = 211, file = QZP1.exe
download 48https:// = 211, file = QZP1.exe
download 49https:// = 211, file = QZP1.exe
download 50https:// = 211, file = QZP1.exe