Dropbox.exe

File Path: C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
Description: Dropbox

Hashes

Type	Hash
MD5	`8B86CFBDD8AA0FCA798090E78677BB16`
SHA1	`A7B71D32C09A04608BB19122478B8AAD54033CD5`
SHA256	`DBA125BF993E85C19F1DC367209D0DC05AF6196EF82844C941996B498DCE27A9`
SHA384	`EEC38B855BB9DABFF341DBA77A925E7E140BBEB3D1CC2CD3D3D616729FB7020FF1D6143B9931D791A503FACCF3808CD3`
SHA512	`656438A06C7DAC8C28AB1519C33E0E79D2195AC26C1E8A8E19E22D24519B542438497ADD064448035D1B3282DA6C1C0EEBD655C6FE5C74DB0EEC4BE13EA25366`
SSDEEP	`49152:hi7J14JiLbcw6I7KkaJVwM/WCetkpNgBIW8NR8tAOfAbv4FqWJ:o8JUbcw6kM/WCetkpNsM2fh`
IMP	`5C208DACC226E6F96D1BC6311616F9B5`
PESHA1	`F69A02AF2EF17B79690F98E015094E671FA09261`
PE256	`F045FBAEC86CA6AC44DAB2078FBAFC1FE79304EE9C8305523EF6A4DE0D0BE9FF`

Runtime Data

Usage (stderr):

!! dropbox: assigning process to named job object dbx2244
!! dropbox: assigned process to named job object with handle 00000208
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
!! dropbox: assigning process to named job object dbx5464
!! dropbox: assigned process to named job object with handle 00000208
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
dropbox: starting main app
dropbox: package full name is <unpackaged>
dropbox: loading bootstrap
dropbox: initializing
dropbox: initializing python 3.7.9
dropbox: setting program path 'C:\Program Files (x86)\Dropbox\Client\Dropbox.exe'
dropbox: setting python path 'C:\Program Files (x86)\Dropbox\Client\106.4.368;C:\Program Files (x86)\Dropbox\Client\106.4.368\python-packages.zip'
!! dropbox: assigning process to named job object dbx3592
!! dropbox: assigned process to named job object with handle 00000224
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
dropbox: python initialized
dropbox: running dropbox
dropbox: setting args
dropbox: enabling allocator metrics
dropbox: applying overrides
dropbox: running main script
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\tornado.speedups.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._constant_time.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._openssl.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._padding.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\apex._apex.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\psutil._psutil_windows.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\win32com.shell.shell.cp37-win32.pyd'

Child Processes:

Dropbox.exe Dropbox.exe

Open Handles:

Path	Type
(R-D) C:\Windows\System32\en-US\kernel32.dll.mui	File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui	File
(RW-) C:\Program Files (x86)\Dropbox\Client\106.4.368	File
(RW-) C:\Windows	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627	File
(RW-) C:\xCyclopedia	File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters	Section
\Sessions\1\Windows\Theme2547664911	Section
\Windows\Theme3854699184	Section

Loaded Modules:

Path
C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

Status: Signature verified.
Serial: 08557A49A29FFD9253CA5AC8780F2C95
Thumbprint: 00D9C6C496925FFD914772B0B79F6E873B6AB8F2
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=”Dropbox, Inc”, O=”Dropbox, Inc”, L=San Francisco, S=California, C=US

File Metadata

Original Filename: Dropbox.exe
Product Name: Dropbox
Company Name: Dropbox, Inc.
File Version: 106.4.368
Product Version: 106.4.368
Language: English (United States)
Legal Copyright: Dropbox, Inc.
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/dba125bf993e85c19f1dc367209d0dc05af6196ef82844c941996b498dce27a9/detection/

File Similarity (ssdeep match)

File	Score
C:\program files (x86)\Dropbox\Client\Dropbox.exe	72

Possible Misuse

The following table contains possible examples of Dropbox.exe being misused. While Dropbox.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proxy_apt40.yml	`title: APT40 Dropbox Tool User Agent`	DRL 1.0
sigma	proxy_apt40.yml	`description: Detects suspicious user agent string of APT40 Dropbox tool`	DRL 1.0
sigma	proxy_apt40.yml	`r-dns: 'api.dropbox.com'`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`# Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)`	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	`- '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'`	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	`- '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`- '\Dropbox\Client\Dropbox.exe'`	DRL 1.0
sigma	registry_event_persistence_search_order.yml	`- '\AppData\Roaming\Dropbox\'`	DRL 1.0
sigma	registry_event_removal_com_hijacking_registry_key.yml	`Image\\|endswith: '\Dropbox.exe'`	DRL 1.0
sigma	registry_event_removal_com_hijacking_registry_key.yml	`TargetObject\\|startswith: 'HKCR\Dropbox.'`	DRL 1.0
sigma	net_dns_high_subdomain_rate.yml	`- "dropbox.com"`	DRL 1.0
sigma	net_dns_large_domain_name.yml	`- "dropbox.com"`	DRL 1.0
malware-ioc	misp-machete-event.json	`"value": "https://www.dropbox.com/s/m38rq5hx5ydrg07/zingapur?dl=1",`	© ESET 2014-2018
signature-base	apt_hiddencobra_bankshot.yar	$a1 = “live.dropbox.com” fullword ascii	CC BY-NC 4.0
signature-base	apt_indetectables_rat.yar	$x2 = “URLDownloadToFileA 0, "https://dl.dropbox.com/u/105015858/nome.exe", "c:\nome.exe", 0, 0” fullword wide	CC BY-NC 4.0
signature-base	apt_indetectables_rat.yar	$s5 = “https://dl.dropbox.com/u/105015858” wide	CC BY-NC 4.0
signature-base	apt_khrat.yar	$x1 = “http.open "POST", "http://update.upload-dropbox[.]com/docs/tz/GetProcess.php",False,"","" “ fullword ascii	CC BY-NC 4.0
signature-base	apt_nanocore_rat.yar	$x1 = “C:\Users\Logintech\Dropbox\Projects\New folder\Latest\Benchmark\Benchmark\obj\Release\Benchmark.pdb” fullword ascii	CC BY-NC 4.0
signature-base	crime_ransom_darkside.yar	$dropboxAPI = “Dropbox-API-Arg”	CC BY-NC 4.0
signature-base	gen_mal_scripts.yar	$x2 = “script:https://www.dropbox.com” ascii	CC BY-NC 4.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`name: Exfil Compressed Archive to Dropbox`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`description: This will exfiltrate an archive to Dropbox.`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`$TargetFilePath = "/#{dropbox.target.dir}/$RemoteName";`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`$ApiKey = "#{dropbox.api.key}";`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`$req.Headers.Add("Dropbox-API-Arg", $arg);`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`--header "Authorization: Bearer #{dropbox.api.key}"`	Apache-2.0
stockpile	3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml	`--header "Dropbox-API-Arg: {\"path\": \"/#{dropbox.target.dir}/$RemoteName\",\"mode\": \"add\",\"autorename\": true,\"mute\": false,\"strict_conflict\": false}"`	Apache-2.0