updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address box361.bluehost.com on port 80 using the HTTP protocol.
MD5:
e52d05dca2b6372549f4e62bef665c5a

SHA-1:
43a7cb278d7d5871e63ae32f65aa52f94316e277

SHA-256:
5e04945d8ecde8004a10d9c73abdb9d2249bd2bcd2435eaf47aefc2c203d6adf

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 3:30:25 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader.UP (M)
17.2.12.20

File size:
188 KB (192,512 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
1/24/2011 4:29:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x17EC

Entry point:
85, DD, 74, 09, 20, C2, B9, B9, 60, 17, 20, 88, FC, 50, 85, D1, 71, 05, 85, D9, 4A, 89, C9, 69, CF, 1D, B1, 73, 3B, C7, C3, F2, D4, 08, 55, 81, CB, 96, 0C, 6F, FD, F3, 2D, DB, 8C, 7F, 56, 86, C4, 0F, AF, EE, 87, C8, 68, 2E, 48, DE, 00, 52, 0F, B7, CB, B9, AD, F8, D7, 8E, E8, 00, 00, 00, 00, 21, DB, BF, 5B, FF, 99, 96, 85, E9, FE, CC, 89, EA, 0F, BE, D4, 81, C1, 5E, 7F, 00, 00, 0F, AF, F3, 69, D7, BE, E4, 79, 6C, 81, C1, 9E, 05, 00, 00, 5F, B7, E2, 86, F2, 85, D1, 69, EE, C2, 50, 3F, A2, 13, C6, 3C, 5E, 0B...
 
[+]

Entropy:
5.7447

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Updates

Command:
C:\updates.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to box361.bluehost.com  (69.89.31.161:80)

TCP (HTTP):
Connects to 217-160-0-4.elastic-ssl.ui-r.com  (217.160.0.4:80)

TCP (HTTP):
Connects to 217-160-0-39.elastic-ssl.ui-r.com  (217.160.0.39:80)

TCP (HTTP):
Connects to h30.default-host.net  (138.201.56.16:80)

TCP (HTTP):
Connects to box383.bluehost.com  (69.89.31.183:80)

TCP (HTTP):
Connects to sv2.byethost2.org  (31.22.4.140:80)

TCP (HTTP):
Connects to scirocco.icertified.net  (205.196.16.16:80)

TCP (HTTP):
Connects to sadira.avaruus.net  (178.251.153.37:80)

Remove updates.exe - Powered by Reason Core Security