Upatre trojan attached to emails “Important Documents”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Important Documents”.

This email is send from the spoofed address “Charlie Egan <Charlie.Egan@wellsfargo.com>” and has the following body:

Please check out your latest account documents.

Charlie Egan
Level III Security Officer
817-102-6118 office
817-607-0621 cell Charlie.Egan@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

The attached file Important_Documents.zip contains the 37 kB large file Important_Documents.exe.

The trojan is known as Virus.Win32.Heur.c, UDS:DangerousObject.Multi.Generic, BehavesLike.Win32.Yahlover.nt or Upatre.FN.

At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c64809bdb7d4a4f6d947aa22ee3f62cc8a88a2d0d0afcfa67771cdceacc4fdf8

One thought on “Upatre trojan attached to emails “Important Documents”

Comments are closed.