Upatre: Sample Set Analysis

Hi. I recently wrapped up an analysis of Upatre. My original intention was to write a generic C2 decoder/extractor for the executables. After analyzing ten samples I realized it was not feasible due to the different encoding algorithms and obfuscation. After analyzing the ten samples I became interested in how Upatre obfuscates/encodes it's executables. My analysis is based off of 94 unique Upatre samples. My sample set might be little skewed because I grabbed the first 100 files sorted by file size with a type zip. Having the files in their original zip file allowed me to have their original file names. I would like to thank VirusTotal for access to the samples and Glenn Edwards for feedback.

Google Docs (HTML)
Git Repo (PDF)


  1. Hi,

    Could you please to provide the sample file ? Thank you very much,

    Best Regards,

    1. Sorry, I can not distribute the samples. The hashes are include at the end of the document. If don't have a source for looking up samples by hashes I would recommend signing up for KernelMode.info. Some samples can be downloaded from the following thread http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3019

  2. Impressive stuff Alex! :)