home

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Backup’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
MD5:
af824aa04fe3919d7ec75e4797afa27d

SHA-1:
191b54b280d71fbf61e6b70545432bfe99024cd5

SHA-256:
9bceb7792f1134fae44773e63806008fabadd207a292192e5699421c041545dc

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/25/2024 11:15:04 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader.UP (M)
17.2.12.20

File size:
144 KB (147,456 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
1/24/2011 4:29:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x17EC

Entry point:
3D, AC, AF, 00, 00, 76, 02, FF, C5, FE, C5, FF, C6, 81, E3, 0C, 48, 55, 40, 88, C7, 69, C6, CA, BB, 8B, E4, 8A, FD, 0F, BE, D2, 87, EB, 8B, C3, 87, FA, 87, EA, 85, C8, 76, 03, 0F, AF, F6, 03, C8, C7, C7, 1D, D4, CC, 0B, FF, CF, F3, EB, 0C, C7, C7, F9, 5F, FB, BE, F7, C6, 99, EC, 93, 8B, B0, AD, 85, DA, F3, 19, D8, 71, 04, 88, DD, 89, F0, E8, 4D, 00, 00, 00, 20, F1, 81, C9, 41, D0, 4F, 3F, 69, C5, 24, C1, 54, BA, BB, 77, 4A, 97, ED, 08, C4, 8B, DD, F7, C3, AD, 64, 12, D6, 83, E6, 00, 08, C3, F2, 81, F6, 0E...
 
[+]

Entropy:
6.7932

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Backup

Command:
C:\backup.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to tiki.trunkoz.com  (103.14.97.123:80)

TCP (HTTP):
Connects to server250.net217.intbildns.org  (185.126.217.250:80)

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

TCP (HTTP):
Connects to mail2.ic.cz  (88.86.100.180:80)

TCP (HTTP):
Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com  (52.28.249.128:80)

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

Remove updates.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.