» update.exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

update.exe

The executable update.exe, “Useful tool for Minecraft.” has been detected as malware by 31 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WindowsUpdate’. While running, it connects to the Internet address mail.litecoinpool.org on port 443.

File name:

update.exe

Description:

Useful tool for Minecraft.

Version:

1.0.0.0

MD5:

0a5e9aae5fab6ad8a4ee2b2bd685f5d9

SHA-1:

8036ba51d80afbf053581ff8561cb39fca6b5f11

SHA-256:

fec99735a264cb3fabe61e4a9e6270f0cae25c501bbba366274ddccf2902cf8f

Scanner detections:

31 / 68

Status:

Malware

Analysis date:

4/25/2024 9:28:19 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12301625

532

Avira AntiVirus

TR/Agent.420352.36

8.3.1.6

Arcabit

Trojan.Generic.DBBB539

1.0.0.425

avast!

Win32:Malware-gen

2014.9-150821

AVG

Generic12_c

2016.0.3010

Baidu Antivirus

Trojan.Win32.Dropper

4.0.3.15821

Bitdefender

Trojan.Generic.12301625

1.0.20.1165

Comodo Security

UnclassifiedMalware

22687

Dr.Web

Trojan.DownLoader16.23052

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Generic.12301625

8.15.08.21.03

ESET NOD32

Win32/CoinMiner.WM trojan

6.3.12010.0

Fortinet FortiGate

W32/Dapato.ETHN!tr

8/21/2015

F-Secure

Trojan.Generic.12301625

11.2015-21-08_6

G Data

Trojan.Generic.12301625

15.8.25

IKARUS anti.virus

Trojan-Dropper.Win32.Dapato

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.205.16474

Kaspersky

Trojan-Dropper.Win32.Dapato

15.0.2.529

Malwarebytes

Trojan.Agent.MNR

v2015.08.21.03

McAfee

Artemis!0A5E9AAE5FAB

5600.6666

MicroWorld eScan

Trojan.Generic.12301625

16.0.0.699

nProtect

Trojan.Generic.12301625

15.07.06.01

Panda Antivirus

Trj/CI.A

15.08.21.03

Quick Heal

TrojanDropper.Dapato.r3

8.15.14.00

Reason Heuristics

Trojan.CoinMiner.ET (M)

17.2.21.15

Rising Antivirus

PE:Trojan.Win32.Generic.17F52405!401941509

23.00.65.15819

Sophos

Mal/Generic-S

4.98

Trend Micro

TROJ_GEN.R00GC0EA315

10.465.21

Vba32 AntiVirus

Trojan-Dropper.Dapato.ethn

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

41780

ViRobot

Trojan.Win32.A.Badur.420352[h]

2014.3.20.0

Zillya! Antivirus

Trojan.Agent.Win32.549754

2.0.0.2271

File size:

410.5 KB (420,352 bytes)

Product version:

3.3.12.0

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\windowsupdate\update.exe

File PE Metadata

Compilation timestamp:

12/3/2014 4:20:48 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPipSKAIZY:Zq5TfcdHj4fmbZKFZY

Entry address:

0xEAF10

Entry point:

60, BE, 00, 70, 49, 00, 8D, BE, 00, A0, F6, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B... 
[+]

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:

340 KB (348,160 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

WindowsUpdate

Command:

C:\users\{user}\appdata\roaming\windowsupdate\update.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to 61.ip-158-69-196.net (158.69.196.61:443)

TCP (HTTP):

Connects to users.ugent.be (157.193.40.145:80)

TCP (HTTP SSL):

Connects to mail.litecoinpool.org (88.80.187.187:443)

TCP (HTTP):

Connects to crl.comodoca.com.cdn.cloudflare.net (178.255.83.2:80)

TCP (HTTP):

Connects to ocsp.comodoca.com (178.255.83.1:80)

Remove update.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.