updater.exe
- File Path:
C:\Program Files\Mozilla Firefox\updater.exe
- Description: Firefox Software Updater
Hashes
Type | Hash |
---|---|
MD5 | 64E40B5BDDF488341E2AD2FAA536373C |
SHA1 | 66CEB05A15285A83A3E9842947732232DBC73FB4 |
SHA256 | 43CE5237022ECF582CF259D0B6C9C84B54C90111195C9EB4FA4D24B2D257C410 |
SHA384 | C7F435B76BDA9ADDCE35FD3401B7D8CD4023A44DD455C56B3D5F1D738FE890322EB286CBC047C5C3A4C2ED6E3683A445 |
SHA512 | F78F4693E3D43585198BABCC7F1A91121459D3AB06BB6E19235FB57ED7B45F1C74F1DAFA6B2311C66C7568BEF4D43FD1648241517DABDECBC30665EC020E8234 |
SSDEEP | 6144:zzgJ+q8jA1C1JjCrnx4tOpt15W1zxgnCXAkfiy383BN1gElJg3PfcKrKywF:zzgJ+q+X1J+WOTW5NuflJAdGyk |
IMP | 6BB751462A4674EA8871D6EED6988FCC |
PESHA1 | 9498F2DA756BFBEF36EBC06AC977C708442095BC |
PE256 | C08425909DD183D9173327E2F7479BAF5148D08C5B16EDC00664C2BD750305A0 |
Runtime Data
Usage (stderr):
Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]
Loaded Modules:
Path |
---|
C:\Program Files\Mozilla Firefox\updater.exe |
C:\Windows\System32\ADVAPI32.dll |
C:\Windows\System32\GDI32.dll |
C:\Windows\System32\gdi32full.dll |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\System32\msvcp_win.dll |
C:\Windows\System32\msvcrt.dll |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\sechost.dll |
C:\Windows\System32\ucrtbase.dll |
C:\Windows\System32\USER32.dll |
C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
0C1CD3EEA47EDDA7A032573B014D0AFD
- Thumbprint:
1326B39C3D5D2CA012F66FB439026F7B59CB1974
- Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
- Subject: CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US
File Metadata
- Original Filename: updater.exe
- Product Name: Firefox
- Company Name: Mozilla Foundation
- File Version: 94.0.1
- Product Version: 94.0.1
- Language: Language Neutral
- Legal Copyright: License: MPL 2
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/43ce5237022ecf582cf259d0b6c9c84b54c90111195c9eb4fa4d24b2d257c410/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of updater.exe
being misused. While updater.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_powersploit_empire_schtasks.yml | - 'Updater' |
DRL 1.0 |
sigma | proc_creation_win_susp_disable_raccine.yml | - 'Raccine Rules Updater' |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | - '\Program Files\Notepad++\updater\GUP.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | - '\Program Files (x86)\Notepad++\updater\GUP.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_gup.yml | - Execution of tools named GUP.exe and located in folders different than Notepad++\updater |
DRL 1.0 |
LOLBAS | Gpup.yml | - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe ' |
|
LOLBAS | OneDriveStandaloneUpdater.yml | Description: OneDrive Standalone Updater |
|
LOLBAS | Update.yml | - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/ |
|
malware-ioc | misp-kryptocibule.json | "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", |
© ESET 2014-2018 |
malware-ioc | kryptocibule | .Updater ( Updater.exe) |
© ESET 2014-2018 |
malware-ioc | kryptocibule | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe |
© ESET 2014-2018 |
atomic-red-team | T1574.001.md | Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. | MIT License. © 2018 Red Canary |
atomic-red-team | T1574.001.md | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1574.001.md | %APPDATA%\updater.exe -Command exit | MIT License. © 2018 Red Canary |
atomic-red-team | T1574.001.md | del %APPDATA%\updater.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
signature-base | apt_wildneutron.yar | $s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */ | CC BY-NC 4.0 |
signature-base | apt_wildneutron.yar | $s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */ | CC BY-NC 4.0 |
signature-base | crime_nkminer.yar | $f = “C:\Windows\Sys64\updater.exe” wide ascii | CC BY-NC 4.0 |
signature-base | gen_rats_malwareconfig.yar | $string10 = “DynDNS\Updater\config.dyndns” wide | CC BY-NC 4.0 |
stockpile | 1258b063-27d6-489b-a677-4807faacf868.yml | "microsoft.tri.sensor.updater", |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.