updater.exe

  • File Path: C:\Program Files\Mozilla Firefox\updater.exe
  • Description: Firefox Software Updater

Hashes

Type Hash
MD5 64E40B5BDDF488341E2AD2FAA536373C
SHA1 66CEB05A15285A83A3E9842947732232DBC73FB4
SHA256 43CE5237022ECF582CF259D0B6C9C84B54C90111195C9EB4FA4D24B2D257C410
SHA384 C7F435B76BDA9ADDCE35FD3401B7D8CD4023A44DD455C56B3D5F1D738FE890322EB286CBC047C5C3A4C2ED6E3683A445
SHA512 F78F4693E3D43585198BABCC7F1A91121459D3AB06BB6E19235FB57ED7B45F1C74F1DAFA6B2311C66C7568BEF4D43FD1648241517DABDECBC30665EC020E8234
SSDEEP 6144:zzgJ+q8jA1C1JjCrnx4tOpt15W1zxgnCXAkfiy383BN1gElJg3PfcKrKywF:zzgJ+q+X1J+WOTW5NuflJAdGyk
IMP 6BB751462A4674EA8871D6EED6988FCC
PESHA1 9498F2DA756BFBEF36EBC06AC977C708442095BC
PE256 C08425909DD183D9173327E2F7479BAF5148D08C5B16EDC00664C2BD750305A0

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Loaded Modules:

Path
C:\Program Files\Mozilla Firefox\updater.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 0C1CD3EEA47EDDA7A032573B014D0AFD
  • Thumbprint: 1326B39C3D5D2CA012F66FB439026F7B59CB1974
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: updater.exe
  • Product Name: Firefox
  • Company Name: Mozilla Foundation
  • File Version: 94.0.1
  • Product Version: 94.0.1
  • Language: Language Neutral
  • Legal Copyright: License: MPL 2
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/43ce5237022ecf582cf259d0b6c9c84b54c90111195c9eb4fa4d24b2d257c410/detection

File Similarity (ssdeep match)

File Score
C:\Program Files\Mozilla Firefox\updater.exe 30
C:\program files\Mozilla Firefox\updater.exe 33
C:\Program Files\Mozilla Firefox\updater.exe 33
C:\Program Files\Mozilla Thunderbird\updater.exe 32
C:\Program Files\Mozilla Thunderbird\updater.exe 38
C:\Program Files\Mozilla Thunderbird\updater.exe 36
C:\program files\Mozilla Thunderbird\updater.exe 32

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_powersploit_empire_schtasks.yml - 'Updater' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'Raccine Rules Updater' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS OneDriveStandaloneUpdater.yml Description: OneDrive Standalone Updater  
LOLBAS Update.yml - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/  
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", © ESET 2014-2018
malware-ioc kryptocibule .Updater (Updater.exe) © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe © ESET 2014-2018
atomic-red-team T1574.001.md Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md %APPDATA%\updater.exe -Command exit MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md del %APPDATA%\updater.exe >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_wildneutron.yar $s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */ CC BY-NC 4.0
signature-base crime_nkminer.yar $f = “C:\Windows\Sys64\updater.exe” wide ascii CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string10 = “DynDNS\Updater\config.dyndns” wide CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "microsoft.tri.sensor.updater", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.