Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel Archived: 2026-04-05 19:15:08 UTC 2012-08-16 - Panel In middle of june a new botnet was advertised on underground forum as Upas Kit. (see end of this post for advert). Bot is recognized by Microsoft in Win32/Rombrast familly Upas - Login Screen https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 1 of 24 Upas - Map Upas - Bots https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 2 of 24 Upas - Statistics - Bots Online Upas - Statistics - Online Bots https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 3 of 24 Upas - Statistics - Arch Upas - Statistics - Countries https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 4 of 24 Upas - Statistics - Comparing months Upas - Statistics - Spreading https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 5 of 24 Upas - Statistics - Bots Summary statistics Upas - Statistics - Version https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 6 of 24 Upas - Statistics - OS https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 7 of 24 Upas - Statistics - Permissions Upas - Stats https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 8 of 24 Upas - Logs - FTP https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 9 of 24 Upas - Logs - Spreadings https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 10 of 24 Upas - Logs - Botkill https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 11 of 24 Upas - Logs - Passwords https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 12 of 24 Upas - Logs - Ruskill Upas - Logs - Injects https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 13 of 24 Upas - Tasks Upas - Public Link to tasks Upas - Download logs https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 14 of 24 Upas - Settings list Upas - Settings https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 15 of 24 Upas - Settings - Create user Upas - Settings - Users list https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 16 of 24 Upas - Settings - Banned Users https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 17 of 24 Upas - Settings - Blacklist https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 18 of 24 Upas - Settings - Login logs https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 19 of 24 Upas - Settings - Change files name Upas - AdminCP https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 20 of 24 Upas - Server Side Tree Here is the initial advert on Exploit.In : https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 21 of 24 Upas Kit 1.0.0.0 as adverted by auroras on Exploit.in on the 14th of june 2012 You'll find the Original text of this advert here : http://pastebin.com/T8b0FMGA  And its Google Translation here : http://pastebin.com/RCN0wYez  https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 22 of 24 AntiVM analysis by EP_X0FF: You'll find it here : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1736&p=14437&hilit=upas#p14462   Auroras "reply" on this code : Which mean he did that fast to escape ThreatExpert. And it looks like it's pretty effective : https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 23 of 24 Auroras 1 - ThreatExpert 0 For an analysis of Upas kit bot you can take a look at Onthar's post. Here one Anubis analysis : 149fd4bdae313f2e44d86cc9be7e2453a - And here a Comodo IMA analysis : 7847d831a191833b7b845d95daf8d0c19f42322c53882c7814a0cb2cb7d9f195 (no..these are not bots of the C&C shown here ;)  ) Source: https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Page 24 of 24 https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html Upas-Tasks Upas-Public Link to tasks Upas-Download logs Page 14 of 24