Jun 20, 2015reverse engineering

Win32/Upatre.BI - Part FourPayload Format

This last article is all about the second stage payload of Upatre. The first part shows how the download handler decrypts and parses payload. The analysis leads to a description of the payload’s format. It also shows how the unpacking stub of the payload decompresses, prepares and launches the... read

Jun 16, 2015reverse engineering

Win32/Upatre.BI - Part ThreeMain Loop

This blog post analyzes the core routine of Upatre. It is covered in only one of my four parts on Upatre, because it honestly doesn’t do much. The ultimate goal of Upatre is to download second stage payload, which will do the real damage. As already touched on at the discussion of Upatre’s configurationread

Jun 14, 2015reverse engineering

Win32/Upatre.BI - Part TwoConfig

The first blog post of the series on Upatre showed how to unpack the malware. You can download the unpacked sample from malwr.com if you like to retrace my reversing steps. This second part focuses on the configuration of Upatre. The first section presents the format of the data structures used...read

Jun 10, 2015reverse engineering

Win32/Upatre.BI - Part OneUnpacking

Win32/Upatre.BI is a recent member of the Upatre downloader family. The malware is usually spread by email attachments. It can steal user information and download a variety of other malicious software such as Zeus, Rovnix, Dyzap or Cutwail. In this multi-part blog post I analyze the inner workings...read