Collection of Upatre Samples ( alpha version)


The md5 sum of the malware as downloaded from the source. This entry links to the details for the samples, including the complete list of delivery urls and information about the downloaded payload (if still online at the time).
The time the malware was scanned on or virustotal.
The name of the executable after being copied to the Windows temp folder.
The name of the temporary file inside the Windows temp folder. Not all samples use a temporary file.
The IP of the C2 server for callbacks.
The root directory of C2 callbacks callbacks.
The service used to determine the public facing IP of the infected client.
  • ICZ stands for
  • DYN stands for
Number of delivery sites
(in brackets: number of active sites, i.e., delivering valid payload when checked).
The lowest of the four potential ports used to contact the payload delivery sites.
Format of the payload.
  • reg: The regular payload format with unpacking stub.
  • sim: The simplified payload format without unpacking stub and without check key.
dec key
The decryption key.
chk key
The check key. Only the regular payload format uses a check key.
The algorithm to modify the decryption key:
  • dec, decremental: k ← k - 1
  • dec2, double decremental: k ← k - 2
  • inc, incremental: k ← k + 1
  • rol, left rotating: k ← rol(k)
  • chk, check key based: k ← k + ck, with ck being the check key
The algorithm is only determined if valid payload could be downloaded.


md5 date exe tempfile c2 pdir cip #ds port fmt dec key chk key ksa
57ccc167257357a5ef0782b47eae7e402015-09-05 11:09plusidup.exeID37E3.tmp93.185.4.90LE3ICZ50 (18)9587reg3e312c4500047040chk