Win32/Upatre.BI is a recent member of the Upatre downloader family. The malware is usually spread by email attachments. It can steal user information and download a variety of other malicious software such as Zeus, Rovnix, Dyzap or Cutwail.
Tries to decrypt the payload of Upatre downloads by using the plaintext’s size as known plaintext.
Supports the following encryptions:
+ decremental XOR
+ double decremental XOR
+ incremental XOR
+ left rotating XOR
The first stage uses a simple XOR and ROL encryption, while the second stage uses a variant of RC4.
– The first unpacking stub modifies part of the memory with ROL and XOR.
– the end of the first stage, the tail jump enters the unpacked memory.
– The second stage copies the unpacking stub code region to a newly allocated page.
– A call is made to the copied region.
– Most of the loaded executable, including the PE header, is zeroed out.
– The encrypted payload is loaded from the executable file and decrypted.
– The decrypted plain text contains the new executable. It is copied to the image base.
– The unpacking stub handles relocation and resolving the imports.
– The tail jump into the decrypted executable concludes the second unpacking stage.
Can also decrypt the simplified payload format if the decryption key is known. script only runs for Python 2.x