{
	"id": "3e3bbe92-14e1-4a61-aaa1-8dbcd948f348",
	"created_at": "2026-04-06T00:11:37.893615Z",
	"updated_at": "2026-04-10T03:20:23.82012Z",
	"deleted_at": null,
	"sha1_hash": "1594b99def62026d4e28b9a2b4b72a1707e5485a",
	"title": "Inside Upas Kit (1.0.1.1) aka Rombrast C\u0026C - Botnet Control Panel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1449522,
	"plain_text": "Inside Upas Kit (1.0.1.1) aka Rombrast C\u0026C - Botnet Control\r\nPanel\r\nArchived: 2026-04-05 19:15:08 UTC\r\n2012-08-16 - Panel\r\nIn middle of june a new botnet was advertised on underground forum as Upas Kit. (see end of this post for advert).\r\nBot is recognized by Microsoft in Win32/Rombrast familly\r\nUpas - Login Screen\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 1 of 24\n\nUpas - Map\r\nUpas - Bots\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 2 of 24\n\nUpas - Statistics - Bots Online\r\nUpas - Statistics - Online Bots\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 3 of 24\n\nUpas - Statistics - Arch\r\nUpas - Statistics - Countries\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 4 of 24\n\nUpas - Statistics - Comparing months\r\nUpas - Statistics - Spreading\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 5 of 24\n\nUpas - Statistics - Bots Summary statistics\r\nUpas - Statistics - Version\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 6 of 24\n\nUpas - Statistics - OS\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 7 of 24\n\nUpas - Statistics - Permissions\r\nUpas - Stats\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 8 of 24\n\nUpas - Logs - FTP\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 9 of 24\n\nUpas - Logs - Spreadings\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 10 of 24\n\nUpas - Logs - Botkill\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 11 of 24\n\nUpas - Logs - Passwords\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 12 of 24\n\nUpas - Logs - Ruskill\r\nUpas - Logs - Injects\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 13 of 24\n\nUpas - Tasks\r\nUpas - Public Link to tasks\r\nUpas - Download logs\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 14 of 24\n\nUpas - Settings list\r\nUpas - Settings\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 15 of 24\n\nUpas - Settings - Create user\r\nUpas - Settings - Users list\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 16 of 24\n\nUpas - Settings - Banned Users\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 17 of 24\n\nUpas - Settings - Blacklist\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 18 of 24\n\nUpas - Settings - Login logs\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 19 of 24\n\nUpas - Settings - Change files name\r\nUpas - AdminCP\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 20 of 24\n\nUpas - Server Side Tree\r\nHere is the initial advert on Exploit.In :\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 21 of 24\n\nUpas Kit 1.0.0.0 as adverted by auroras on Exploit.in on the 14th of june 2012\r\nYou'll find the Original text of this advert here :\r\nhttp://pastebin.com/T8b0FMGA \r\nAnd its Google Translation here :\r\nhttp://pastebin.com/RCN0wYez \r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 22 of 24\n\nAntiVM analysis by EP_X0FF:\r\nYou'll find it here :\r\nhttp://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=1736\u0026p=14437\u0026hilit=upas#p14462  \r\nAuroras \"reply\" on this code :\r\nWhich mean he did that fast to escape ThreatExpert. And it looks like it's pretty effective :\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 23 of 24\n\nAuroras 1 - ThreatExpert 0\r\nFor an analysis of Upas kit bot you can take a look at Onthar's post.\r\nHere one Anubis analysis : 149fd4bdae313f2e44d86cc9be7e2453a - And here a Comodo IMA analysis :\r\n7847d831a191833b7b845d95daf8d0c19f42322c53882c7814a0cb2cb7d9f195\r\n(no..these are not bots of the C\u0026C shown here ;)  )\r\nSource: https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html\r\nPage 24 of 24\n\nhttps://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html  \nUpas-Tasks  \nUpas-Public Link to tasks \nUpas-Download logs \n  Page 14 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html"
	],
	"report_names": [
		"inside-upas-kit1.0.1.1.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1594b99def62026d4e28b9a2b4b72a1707e5485a.pdf",
		"text": "https://archive.orkl.eu/1594b99def62026d4e28b9a2b4b72a1707e5485a.txt",
		"img": "https://archive.orkl.eu/1594b99def62026d4e28b9a2b4b72a1707e5485a.jpg"
	}
}