updater.exe

  • File Path: C:\Program Files\Mozilla Thunderbird\updater.exe
  • Description: Thunderbird Software Updater

Hashes

Type Hash
MD5 07D16EADF927C51C736FA89A68A9F379
SHA1 08D7A3A8510BFE4744A6A6F3A8EDFE94E18FD0AB
SHA256 72C6828A8B72E664F66F28CB64250C64A86CAAAE276FAB3D75839B30D70E5B3F
SHA384 8DE445FB132920433E2A2B8764450158CC1A56BFB00D2A8DE87602ACB413C715E4177F713EEADF5037565FE7BF6ED9AD
SHA512 965B3295053EA3511E30F2A9CC7F8D5340E2D50DEFF6974DD5676F4DA85FC1DDA35AAF59C8D31E17264D1A248272F8EEA2E0191A5CED37FCD5D62FA7A454A30F
SSDEEP 6144:9TExPO9Cu/dGIemG0bhwQC++ZvJsMXEa1lBN8XqmiJg3PfcKrKywM:KpfiZhGHSa7XXeYJAdGyF
IMP 82A3A9E88856E6F29C30BBE968C99EB3
PESHA1 8950C5B12644AAB6D4C58E9F4A6F53218CF21D50
PE256 4E6861A3761D7A231BB5D647E3EB00BBD4322C1E4C468507C4B222D54ABD92CB

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Loaded Modules:

Path
C:\Program Files\Mozilla Thunderbird\updater.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 0DDEB53F957337FBEAF98C4A615B149D
  • Thumbprint: 91CABEA509662626E34326687348CAF2DD3B4BBA
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: E=”release+certificates@mozilla.com”, CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: updater.exe
  • Product Name: Thunderbird
  • Company Name: Mozilla Foundation
  • File Version: 78.2.0
  • Product Version: 78.2.0
  • Language: Language Neutral
  • Legal Copyright: License: MPL 2
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/72c6828a8b72e664f66f28cb64250c64a86caaae276fab3d75839b30d70e5b3f/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files\Mozilla Firefox\updater.exe 36
C:\Program Files\Mozilla Firefox\updater.exe 32
C:\program files\Mozilla Firefox\updater.exe 38
C:\Program Files\Mozilla Firefox\updater.exe 36
C:\Program Files\Mozilla Thunderbird\updater.exe 40
C:\Program Files\Mozilla Thunderbird\updater.exe 35
C:\program files\Mozilla Thunderbird\updater.exe 94

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_powersploit_empire_schtasks.yml - 'Updater' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'Raccine Rules Updater' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS OneDriveStandaloneUpdater.yml Description: OneDrive Standalone Updater  
LOLBAS Update.yml - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/  
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", © ESET 2014-2018
malware-ioc kryptocibule .Updater (Updater.exe) © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe © ESET 2014-2018
atomic-red-team T1574.001.md Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md %APPDATA%\updater.exe -Command exit MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md del %APPDATA%\updater.exe >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_wildneutron.yar $s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */ CC BY-NC 4.0
signature-base crime_nkminer.yar $f = “C:\Windows\Sys64\updater.exe” wide ascii CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string10 = “DynDNS\Updater\config.dyndns” wide CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "microsoft.tri.sensor.updater", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.