updater.exe

File Path: C:\Program Files\Mozilla Firefox\updater.exe
Description: Firefox Software Updater

Hashes

Type	Hash
MD5	`019CF18ADC3FA81FA314F8B3ED9061C1`
SHA1	`1892F40B831D653C1056EF1EBE4DC28A49862753`
SHA256	`A8393B5C7E98F4102AE599FB337003782CEF5EE7FD48AF20C647518CC08A3733`
SHA384	`A6C3263444E69F39A8BA1DC43446102845DE295CD42B3588894F81E02ED58AA5E144A6E5A923E0B4E9742563C9B52AF8`
SHA512	`3195CD7DFA5B527F947FB55B8F23C601987FF5999A60DEAA4C288E5E32CCAE954ED107BF551DD7A215F8BF28C120C847C478AF8F0A94BFAFF763CDF5151D82BF`
SSDEEP	`6144:n/G/jvr2WhT9kTEMZuZUO+ykXxoN2A10U5uuNc4OexIBNd0XYAusqJg3PfcKrKyG:n/G/jKWhyQSOwBMVGe/W1JAdGyG`
IMP	`5629AE476C183894D4236EAC48C5723F`
PESHA1	`7B7ED870EF2F60A524473EDAA406B6502743C439`
PE256	`529AE871BCAF7BDE41125D5E1C93B2BCB088ACEE1A3B2D572453B3E396229795`

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Loaded Modules:

Path
C:\Program Files\Mozilla Firefox\updater.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

Status: Signature verified.
Serial: 0DDEB53F957337FBEAF98C4A615B149D
Thumbprint: 91CABEA509662626E34326687348CAF2DD3B4BBA
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: E=”release+certificates@mozilla.com”, CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

Original Filename: updater.exe
Product Name: Firefox
Company Name: Mozilla Foundation
File Version: 81.0
Product Version: 81.0
Language: Language Neutral
Legal Copyright: License: MPL 2
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/a8393b5c7e98f4102ae599fb337003782cef5ee7fd48af20c647518cc08a3733/detection/

File Similarity (ssdeep match)

File	Score
C:\Program Files\Mozilla Firefox\updater.exe	30
C:\program files\Mozilla Firefox\updater.exe	35
C:\Program Files\Mozilla Firefox\updater.exe	33
C:\Program Files\Mozilla Thunderbird\updater.exe	36
C:\Program Files\Mozilla Thunderbird\updater.exe	33
C:\Program Files\Mozilla Thunderbird\updater.exe	33
C:\program files\Mozilla Thunderbird\updater.exe	35

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_powersploit_empire_schtasks.yml	`- 'Updater'`	DRL 1.0
sigma	proc_creation_win_susp_disable_raccine.yml	`- 'Raccine Rules Updater'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Program Files\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Program Files (x86)\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- Execution of tools named GUP.exe and located in folders different than Notepad++\updater`	DRL 1.0
LOLBAS	Gpup.yml	`- 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '`
LOLBAS	OneDriveStandaloneUpdater.yml	`Description: OneDrive Standalone Updater`
LOLBAS	Update.yml	`- Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/`
malware-ioc	misp-kryptocibule.json	`"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe",`	© ESET 2014-2018
malware-ioc	kryptocibule	`.Updater (`Updater.exe`)`	© ESET 2014-2018
malware-ioc	kryptocibule	`%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe`	© ESET 2014-2018
atomic-red-team	T1574.001.md	Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	%APPDATA%\updater.exe -Command exit	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	del %APPDATA%\updater.exe >nul 2>&1	MIT License. © 2018 Red Canary
signature-base	apt_wildneutron.yar	$s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */	CC BY-NC 4.0
signature-base	apt_wildneutron.yar	$s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */	CC BY-NC 4.0
signature-base	crime_nkminer.yar	$f = “C:\Windows\Sys64\updater.exe” wide ascii	CC BY-NC 4.0
signature-base	gen_rats_malwareconfig.yar	$string10 = “DynDNS\Updater\config.dyndns” wide	CC BY-NC 4.0
stockpile	1258b063-27d6-489b-a677-4807faacf868.yml	`"microsoft.tri.sensor.updater",`	Apache-2.0