home

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
MD5:
428ca14bbb29d283683c2914b98df349

SHA-1:
09e2cd9f3a2c4c32cf2086da67d18c108bd36c49

SHA-256:
02d62fd2ebcb51af3c267f05d1846449971656af67c709f202007699002bbedd

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 5:54:14 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader.UP (M)
17.2.6.16

File size:
260 KB (266,240 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
1/1/1999 7:57:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x2B99A

Entry point:
69, F6, 24, F3, 13, 0D, 88, C6, 4B, 0F, AF, F5, F6, C7, 11, 89, F2, 38, D4, 57, 68, F4, FD, CF, 00, 89, F2, 73, 04, 46, 84, DA, 43, 8D, 2D, CE, E1, 64, 0F, 85, FE, 8A, F6, E8, 00, 00, 00, 00, 59, 88, DA, 33, D9, F7, C2, 0E, B6, 66, CD, 1D, 10, 93, 56, 5C, C6, C3, AE, 87, EF, 71, 05, 4E, 87, EB, 84, D0, 4D, 89, CA, F7, C7, 88, 88, 65, 1F, B3, 12, 85, C2, 8D, 1D, 14, F7, 3E, CD, 40, FE, CF, 69, F5, EF, 05, 97, 79, 0F, AF, F1, 81, C1, 58, 1C, 00, 00, B0, E8, C7, C5, B6, 1F, E5, D2, 81, C8, 4B, 09, 78, E9, 81...
 
[+]

Entropy:
7.2254

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Updates

Command:
C:\updates.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to windows12.internetbilisim.net  (185.126.217.250:80)

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP):
Connects to tiki.trunkoz.com  (103.14.97.123:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

Remove updates.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.