virus logo Virus

W32/Upatre.FT!tr

description-logoAnalysis

  • It drops a copy of itself to the user's Temporary folder as mixouted.exe.

  • At the time of this analysis, it downloaded the following file:
    • http://cara{Removed}.co.uk/mandoc/us21.pdf
      • This file, which is an encrypted data file, is copied into the user's Temporary folder as log3950.tmp. It can be detected as Data/Upatre!tr.

  • An EXE file with a randomized name is also dropped in the Windows folder. At the time of this analysis, the EXE file can be detected as W32/Battdil.I!tr. This EXE file drops nwuvbe82ns.dll  in the undefinedSystemundefined\config\systemprofile\Application Data  folder. This DLL file is also another encrypted data file.

  • It injects codes into svchost.exe and spoolsv.exe  processes.

  • It disables antivirus products such as AVG, Malware Bytes Anti-malware, ESET, etc...

  • It adds registry keys to exclude processes such as explorer.exe, spoolsv.exe, rundll32.exe, and svchost.exe  from Microsoft Security Essentials process scanning.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-12-27 90.09105
2022-12-12 90.08670
2022-08-30 90.05531
2022-05-25 90.02622
2022-01-04 89.08396
2020-01-21 74.70000 Sig Updated
2019-07-31 70.38300 Sig Updated
2019-06-18 69.35000 Sig Updated
2019-04-02 67.50600 Sig Updated
2018-10-02 62.63500 Sig Updated
ID 6582867
Released Feb 12, 2015
Description
Updated		 Feb 24, 2015
Aliases Win32/Battdil.I trojan, Trojan.Upatre.Crypted.2, Win32/TrojanDownloader.Waski.F trojan
Platform Profile Win32 file format / PE 32 bit