» updates.exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.

File name:

updates.exe

MD5:

9e9b1b5038237227f2a4e58b7fa91f30

SHA-1:

89a25f460da47fe6250595059dda3bfd4c9f3375

SHA-256:

24d34c7bc5fcdebab2895e00c992fe8efdd2fe841c1fd767075f7c6bab636c12

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

12/27/2024 5:30:19 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Trojan.Downloader.UP (M)

17.2.5.12

File size:

648 KB (663,552 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

9/8/2010 8:57:53 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x2986E

Entry point:

88, C7, BA, F8, A8, C4, 5B, 89, F2, C7, C2, C7, 88, 5D, FA, 87, EA, 0F, AF, D3, 80, D6, 60, BE, 90, E0, C4, FA, 8B, C1, 31, DB, 86, D3, 14, F1, BD, 00, 00, 00, 00, 3C, C6, F2, 86, DC, 85, F8, 0F, B6, C2, 85, CD, 81, C5, 6E, 0E, 00, 00, 13, F8, 69, C7, 6C, 8A, 28, 53, 15, 87, 07, 34, 4C, 81, ED, 6D, 0E, 00, 00, 81, C9, 72, 72, 19, 70, 69, C8, 55, 90, AB, B6, 4F, FE, CC, 80, E7, 27, F3, 8B, D1, 81, FD, BD, 0B, 00, 00, 0F, 8C, BA, FF, FF, FF, C7, C2, 34, C0, 1D, 92, 68, 9A, 24, A1, 00, 68, B6, 04, 6B, 00, 86... 
[+]

Entropy:

5.0765

Code size:

36 KB (36,864 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Updates

Command:

C:\updates.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to neptune.corpservers.net (63.247.87.162:80)

TCP (HTTP):

Connects to apache2-yak.zarniwoop.dreamhost.com (173.236.154.78:80)

TCP (HTTP):

Connects to win04-host-kb.turkticaret.net (31.186.8.104:80)

TCP (HTTP):

Connects to server250.net217.intbildns.org (185.126.217.250:80)

TCP (HTTP):

Connects to server123.managedns.org (103.14.97.123:80)

Remove updates.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.