Downloader Trojan that can drop multiple malware

January 30, 2015

The Dell Sonicwall Threats Research team have discovered a downloader Trojan spreading through email. It can drop various kinds of malware on the system. In this case it dropped ransomware that remained dormant on the system.

Infection Cycle:

The Trojan uses the following PDF icon:

The Trojan makes the following DNS queries:


The Trojan adds the following files to the filesystem:

  • %TEMP%document.exe [Detected as GAV: Upatre.AF_8 (Trojan)]
  • %WINDOWS%VTlrgieTqjTrJGf.exe [Detected as GAV: Ransomer.DYG (Trojan)]

The Trojan reports infection to a C&C server using the User Agent "Mazilla/5.0":

The Trojan downloads an additional malware executable (kora_k12.pdf) from a remote webserver:

The file is encrypted. During analysis we were able to determine the location of the decryption routine in the executable:

After decyption, the file VTlrgieTqjTrJGf.exe is written to disk. The file appears to be a ransomware Trojan but remains dormant on the filesystem. It uses the following icon:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Upatre.AF_8 (Trojan)
  • GAV: Malagent.H_2691 (Trojan)
  • GAV: Ransomer.DYG (Trojan)