updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Backup’.
MD5:
0fa58944b5c385bf65dbfadb5df7154d

SHA-1:
176794796a104a6f2956df059b3d934bbbcfa726

SHA-256:
e217776613aa10cbc669c7bf39e9112822747ee7da0d633737b6ad0eaa92ce7b

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 12:30:25 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader.UP (M)
16.11.20.14

File size:
140 KB (143,360 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
1/24/2011 5:29:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:Z4k0QpFZyOSAYZRx6iDrhLOUp+HQMJhrgzQRxir7:Z4k0lrTQwMJhrhxG

Entry address:
0x17EC

Entry point:
0F, AF, D0, 2B, C0, BD, F0, 91, C4, B2, B3, 12, 84, CA, 22, CE, F2, 6B, C9, 00, BD, F2, 4A, BE, DE, 3B, D1, 75, 01, 45, 8D, 15, 61, 20, D7, 80, 81, C1, 5B, F6, FF, FF, 8D, 35, 99, EA, 85, 98, 80, F2, FF, 81, C1, A6, 09, 00, 00, 03, D1, 0F, AF, EA, 3C, 0A, 88, D7, 4D, 81, F9, DE, 01, 00, 00, 0F, 82, C5, FF, FF, FF, 8D, 1D, D3, E4, 5E, 44, 8D, 15, 83, 0A, 84, C4, E8, 93, 00, 00, 00, 8D, 05, A3, 62, 45, DD, 0F, B6, D0, 81, E2, A8, 03, 36, 88, 0F, AF, FB, 3A, EF, 8A, D1, 02, FC, 56, 4E, 5D, 0F, BF, C1, 69, D5...
 
[+]

Entropy:
6.7457

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Backup

Command:
C:\backup.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dns1.interbox.cz  (77.78.99.55:80)

TCP (HTTP):
Connects to win15.securedc.com  (64.8.117.67:80)

TCP (HTTP):
Connects to host176.b5.trdns.com  (77.245.148.176:80)

TCP (HTTP):

TCP (HTTP):
Connects to 161maklp3.guzel.net.tr  (31.192.214.161:80)

TCP (HTTP):
Connects to hostedc76.carrierzone.com  (69.49.115.40:80)

TCP (HTTP):

Remove updates.exe - Powered by Reason Core Security