» updates.exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address box361.bluehost.com on port 80 using the HTTP protocol.

File name:

updates.exe

MD5:

ce2fa2f1708d613462aba64da54ac9cb

SHA-1:

99da52cf584b1b07714586d7a4baeed7a2d0ded1

SHA-256:

73bdab406b2803d8c16b5ba17c5d82a0319c6c969d08a0d5ee78e24b1ecd02ca

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/27/2024 4:20:18 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Trojan.Downloader.UP (M)

17.3.8.5

File size:

188 KB (192,512 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

11/13/2001 9:27:54 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x17EC

Entry point:

60, C6, C5, F1, 70, 04, 0C, 30, 88, FD, 81, FE, 93, 31, 00, 00, 78, 0B, F6, C2, B4, F7, C5, 3E, B8, EB, 6D, FE, CE, C6, C2, E5, 89, ED, 71, 07, 84, C3, BD, 16, A0, C5, F0, 81, FE, FF, B6, 00, 00, 8B, D3, 88, D3, B5, 89, FE, C4, 85, D6, 69, C5, 8C, 0C, 3E, 41, 81, FA, DD, 37, 00, 00, 78, 0E, 20, F2, C7, C3, B2, 16, B6, 73, 69, F1, 3C, 84, A0, 81, 14, C6, F3, E8, 0F, 00, 00, 00, 85, DB, FF, C0, F6, C4, A2, 81, D5, D6, 07, 98, C3, 3B, D7, 5B, 4A, F6, C6, 8C, 03, C8, 0F, AF, D3, 49, F6, C2, 74, EB, 04, 3C, FA... 
[+]

Entropy:

6.4614

Code size:

52 KB (53,248 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Updates

Command:

C:\updates.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 217-160-0-4.elastic-ssl.ui-r.com (217.160.0.4:80)

TCP (HTTP):

Connects to box383.bluehost.com (69.89.31.183:80)

TCP (HTTP):

Connects to 217-160-0-39.elastic-ssl.ui-r.com (217.160.0.39:80)

TCP (HTTP):

Connects to box361.bluehost.com (69.89.31.161:80)

TCP (HTTP):

Connects to server.WebsByAmy.com (98.142.100.146:80)

Remove updates.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.