Dropbox.exe

  • File Path: C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  • Description: Dropbox

Hashes

Type Hash
MD5 8B86CFBDD8AA0FCA798090E78677BB16
SHA1 A7B71D32C09A04608BB19122478B8AAD54033CD5
SHA256 DBA125BF993E85C19F1DC367209D0DC05AF6196EF82844C941996B498DCE27A9
SHA384 EEC38B855BB9DABFF341DBA77A925E7E140BBEB3D1CC2CD3D3D616729FB7020FF1D6143B9931D791A503FACCF3808CD3
SHA512 656438A06C7DAC8C28AB1519C33E0E79D2195AC26C1E8A8E19E22D24519B542438497ADD064448035D1B3282DA6C1C0EEBD655C6FE5C74DB0EEC4BE13EA25366
SSDEEP 49152:hi7J14JiLbcw6I7KkaJVwM/WCetkpNgBIW8NR8tAOfAbv4FqWJ:o8JUbcw6kM/WCetkpNsM2fh
IMP 5C208DACC226E6F96D1BC6311616F9B5
PESHA1 F69A02AF2EF17B79690F98E015094E671FA09261
PE256 F045FBAEC86CA6AC44DAB2078FBAFC1FE79304EE9C8305523EF6A4DE0D0BE9FF

Runtime Data

Usage (stderr):

!! dropbox: assigning process to named job object dbx2244
!! dropbox: assigned process to named job object with handle 00000208
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
!! dropbox: assigning process to named job object dbx5464
!! dropbox: assigned process to named job object with handle 00000208
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
dropbox: starting main app
dropbox: package full name is <unpackaged>
dropbox: loading bootstrap
dropbox: initializing
dropbox: initializing python 3.7.9
dropbox: setting program path 'C:\Program Files (x86)\Dropbox\Client\Dropbox.exe'
dropbox: setting python path 'C:\Program Files (x86)\Dropbox\Client\106.4.368;C:\Program Files (x86)\Dropbox\Client\106.4.368\python-packages.zip'
!! dropbox: assigning process to named job object dbx3592
!! dropbox: assigned process to named job object with handle 00000224
dropbox: loading watchdog
dropbox: loaded watchdog. executing watchdog_main
dropbox: python initialized
dropbox: running dropbox
dropbox: setting args
dropbox: enabling allocator metrics
dropbox: applying overrides
dropbox: running main script
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\tornado.speedups.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._constant_time.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._openssl.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\cryptography.hazmat.bindings._padding.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\apex._apex.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\psutil._psutil_windows.cp37-win32.pyd'
dropbox: load fq extension 'C:\\Program Files (x86)\\Dropbox\\Client\\106.4.368\\win32com.shell.shell.cp37-win32.pyd'

Child Processes:

Dropbox.exe Dropbox.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\kernel32.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Program Files (x86)\Dropbox\Client\106.4.368 File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\xCyclopedia File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme2547664911 Section
\Windows\Theme3854699184 Section

Loaded Modules:

Path
C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 08557A49A29FFD9253CA5AC8780F2C95
  • Thumbprint: 00D9C6C496925FFD914772B0B79F6E873B6AB8F2
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=”Dropbox, Inc”, O=”Dropbox, Inc”, L=San Francisco, S=California, C=US

File Metadata

  • Original Filename: Dropbox.exe
  • Product Name: Dropbox
  • Company Name: Dropbox, Inc.
  • File Version: 106.4.368
  • Product Version: 106.4.368
  • Language: English (United States)
  • Legal Copyright: Dropbox, Inc.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/dba125bf993e85c19f1dc367209d0dc05af6196ef82844c941996b498dce27a9/detection/

File Similarity (ssdeep match)

File Score
C:\program files (x86)\Dropbox\Client\Dropbox.exe 72

Possible Misuse

The following table contains possible examples of Dropbox.exe being misused. While Dropbox.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_apt40.yml title: APT40 Dropbox Tool User Agent DRL 1.0
sigma proxy_apt40.yml description: Detects suspicious user agent string of APT40 Dropbox tool DRL 1.0
sigma proxy_apt40.yml r-dns: 'api.dropbox.com' DRL 1.0
sigma net_dns_high_subdomain_rate.yml - "dropbox.com" DRL 1.0
sigma net_dns_large_domain_name.yml - "dropbox.com" DRL 1.0
malware-ioc misp-machete-event.json "value": "https://www.dropbox.com/s/m38rq5hx5ydrg07/zingapur?dl=1", © ESET 2014-2018
signature-base apt_hiddencobra_bankshot.yar $a1 = “live.dropbox.com” fullword ascii CC BY-NC 4.0
signature-base apt_indetectables_rat.yar $x2 = “URLDownloadToFileA 0, "https://dl.dropbox.com/u/105015858/nome.exe", "c:\nome.exe", 0, 0” fullword wide CC BY-NC 4.0
signature-base apt_indetectables_rat.yar $s5 = “https://dl.dropbox.com/u/105015858” wide CC BY-NC 4.0
signature-base apt_khrat.yar $x1 = “http.open "POST", "http://update.upload-dropbox[.]com/docs/tz/GetProcess.php",False,"","" “ fullword ascii CC BY-NC 4.0
signature-base apt_nanocore_rat.yar $x1 = “C:\Users\Logintech\Dropbox\Projects\New folder\Latest\Benchmark\Benchmark\obj\Release\Benchmark.pdb” fullword ascii CC BY-NC 4.0
signature-base gen_mal_scripts.yar $x2 = “script:https://www.dropbox.com” ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.