home

updates.exe

The executable updates.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address 217-160-0-39.elastic-ssl.ui-r.com on port 80 using the HTTP protocol.
MD5:
186a27c3dea65e8df64ae7a72a73da7f

SHA-1:
58ff3bda1d85f6147b3ce2d50144ffb0e4f0e8fa

SHA-256:
6d8ac912b61647b6c3c6692c0a24cf4a6d45e7303c625d4ee21f2e879427232c

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/25/2024 10:13:17 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader.UP (M)
16.8.24.0

File size:
316 KB (323,584 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
3/12/1996 12:24:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:i9k0QpFZyOSAYZRx6iDrhLOUpDShRKplkj1JfjJbLRZlBx/r:i9k0lrTxAq2vbJbLZBd

Entry address:
0x3C6E4

Entry point:
60, 0F, B6, F0, 8D, 0D, 87, 48, 93, 3B, 8D, 0D, 67, 9E, 95, 7A, 86, D1, 8A, E2, 69, F9, 55, F0, BF, D5, 87, D5, 8D, 2D, 4D, 1B, BA, 43, B2, CE, FF, C8, 81, EB, 7A, A6, 00, 00, 85, FA, 81, C3, 35, 0D, 00, 00, C6, C1, 99, 0D, 29, D9, C3, 16, 2D, 2F, 7D, EB, FA, 68, 13, 76, 51, 00, 20, CB, FE, C7, 18, F1, 0F, AF, C0, B3, 1A, 81, DE, 54, 2F, 02, FA, E8, 7A, 00, 00, 00, F3, 3B, EA, 76, 02, 10, C9, 08, F3, F6, C1, D8, 8A, DC, 3B, C6, BF, 00, 00, 00, 00, 0D, 9E, E4, AC, F3, 81, F9, 4A, 04, 00, 00, 78, 09, F2, 1A...
 
[+]

Entropy:
4.3083

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Updates

Command:
C:\updates.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 217-160-0-39.elastic-ssl.ui-r.com  (217.160.0.39:80)

TCP (HTTP):
Connects to box361.bluehost.com  (69.89.31.161:80)

TCP (HTTP):
Connects to 217-160-0-4.elastic-ssl.ui-r.com  (217.160.0.4:80)

Remove updates.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.