» updates.exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’.

File name:

updates.exe

MD5:

09a263bb41fe10a28cfe7ea111eed97f

SHA-1:

6fd6634d2465791d9e480626ac914557890af8f9

SHA-256:

3f0a6bf69f5ec6c80341bd1ee10d359fe7043b5df2fe2e2ace31e7efac35ec2b

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/23/2024 1:18:21 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Trojan.Downloader.UP (M)

17.3.7.20

File size:

160 KB (163,840 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

9/17/2074 1:55:54 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x17EC

Entry point:

23, D5, 8B, DD, 89, C2, F6, C7, 4E, 2B, C2, 4F, 85, D6, C6, C0, CA, 86, CB, 0F, B6, F2, B0, FD, 8B, C8, 86, C2, 4D, 89, CF, E8, 22, 00, 00, 00, 85, D1, 76, 02, B6, 2E, 85, C3, 8B, C8, 8B, CE, BD, CA, E8, 17, 72, 0F, AF, CF, 8D, 11, 4E, 2A, C9, 0F, BF, DD, 4B, 2B, C2, 74, 01, F2, 87, DF, FF, C1, C6, C3, 76, 0F, B6, EE, 8B, C2, 85, ED, 8D, 35, FA, 75, 92, 12, BD, 67, A7, 00, 00, 8D, 1D, 6D, 9B, 1D, EA, 81, F5, 60, 2D, 00, 00, 84, DC, 34, 7F, 29, D7, 81, F5, 1F, 0F, 00, 00, 80, E5, C4, 0F, C1, EA, 05, D3, 21... 
[+]

Entropy:

6.1325

Code size:

36 KB (36,864 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Updates

Command:

C:\updates.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to srv2.ampyazilim.com.tr (37.230.104.89:80)

TCP (HTTP):

Connects to 93-89-226-17.fbs.com.tr (93.89.226.17:80)

TCP (HTTP):

Connects to CHHOSTW03.net4.com (118.67.248.123:80)

TCP (HTTP):

Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com (52.28.249.128:80)

Remove updates.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.