updater.exe

  • File Path: C:\program files\Mozilla Firefox\updater.exe
  • Description: Firefox Software Updater

Hashes

Type Hash
MD5 904B85E7D09E0CEE3294D10F947E3183
SHA1 B08D178DE2B45BA4998A56D8E4EFC38513CB62B9
SHA256 E87D2764193E4F38EF1EFF94F4569883A9DD729BE388BB032DEAAC51A2B86E82
SHA384 F4BA245C254866E290121652D68779034AFB0B13BB3C84DB9E9993C2DEF5DA1EC22C4D58313E0ABC22548971D220861C
SHA512 E3E50CE24B5F35C9654811C96EAFB070724445D0BFD7F998688D4BD3C8967E103A206E08268EE8C2C6D5B5BB1C6ABA1517B7BF2F44B8EDDEC39EDD3C8CAF25AD
SSDEEP 6144:/RCFf5sEF8oapmLi9ZWVFNOeoz01vk0J+aGBNf3VsFJJg3PfcKrKyw4:pCFf5YoaUiXiOv0BtHSqJAdGy5

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Loaded Modules:

Path
C:\program files\Mozilla Firefox\updater.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 0DDEB53F957337FBEAF98C4A615B149D
  • Thumbprint: 91CABEA509662626E34326687348CAF2DD3B4BBA
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: E=”release+certificates@mozilla.com”, CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: updater.exe
  • Product Name: Firefox
  • Company Name: Mozilla Foundation
  • File Version: 80.0
  • Product Version: 80.0
  • Language: Language Neutral
  • Legal Copyright: License: MPL 2

File Similarity (ssdeep match)

File Score
C:\Program Files\Mozilla Firefox\updater.exe 35
C:\Program Files\Mozilla Firefox\updater.exe 33
C:\Program Files\Mozilla Firefox\updater.exe 40
C:\Program Files\Mozilla Thunderbird\updater.exe 38
C:\Program Files\Mozilla Thunderbird\updater.exe 36
C:\Program Files\Mozilla Thunderbird\updater.exe 36
C:\program files\Mozilla Thunderbird\updater.exe 38

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_powersploit_empire_schtasks.yml - 'Updater' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'Raccine Rules Updater' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS OneDriveStandaloneUpdater.yml Description: OneDrive Standalone Updater  
LOLBAS Update.yml - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/  
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", © ESET 2014-2018
malware-ioc kryptocibule .Updater (Updater.exe) © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe © ESET 2014-2018
atomic-red-team T1574.001.md Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md %APPDATA%\updater.exe -Command exit MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md del %APPDATA%\updater.exe >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_wildneutron.yar $s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */ CC BY-NC 4.0
signature-base crime_nkminer.yar $f = “C:\Windows\Sys64\updater.exe” wide ascii CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string10 = “DynDNS\Updater\config.dyndns” wide CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "microsoft.tri.sensor.updater", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.