updater.exe

File Path: C:\Program Files\Mozilla Thunderbird\updater.exe
Description: Thunderbird Software Updater

Hashes

Type	Hash
MD5	`96AB620199C81ED865C0A07581ADE706`
SHA1	`4EEDC001606291A6569E5FAC4471F78DC8249FF6`
SHA256	`5338EC0FB975F7344CEE719FDCB8BD08B4D04F259D5EF3BBEB2715F74B5AD2EE`
SHA384	`0DC299B93A733C032E560DAEBB1EE61F989D826021F7206D2CCA4EE5AFD94E2469D0389AF6B0B8FEAB3F97367A3287A8`
SHA512	`25AD4D7F4A7F833AD49891A6C55C08EF92EAD3A333E760B258228D2746358535007A05EE47DA6F49C1F107F76D720AF91740C990C93E7A001E82DBE750A70352`
SSDEEP	`6144:H8vZA4Jr69GTow/06eO1BUQDIid8ztw921kxwqBNJHtt4oJg3PfcKrKywj:H8vy4RqG8ZOXsa4oJAdGy+`
IMP	`DFF05724D2A6B7F0029D1EB5D51E36A1`
PESHA1	`106CE85FCCBDC5C486900E051B9C525FCA9E8C21`
PE256	`C4A88A17B3EA72793B8251CE6129CFCA04377CBE8BA91214F270EE2192402E6F`

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Program Files\Mozilla Thunderbird\updater.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

Status: Signature verified.
Serial: 0C1CD3EEA47EDDA7A032573B014D0AFD
Thumbprint: 1326B39C3D5D2CA012F66FB439026F7B59CB1974
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

Original Filename: updater.exe
Product Name: Thunderbird
Company Name: Mozilla Foundation
File Version: 91.3.0
Product Version: 91.3.0
Language: Language Neutral
Legal Copyright: License: MPL 2
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/72
VirusTotal Link: https://www.virustotal.com/gui/file/5338ec0fb975f7344cee719fdcb8bd08b4d04f259d5ef3bbeb2715f74b5ad2ee/detection

File Similarity (ssdeep match)

File	Score
C:\Program Files\Mozilla Firefox\updater.exe	33
C:\Program Files\Mozilla Firefox\updater.exe	36
C:\program files\Mozilla Firefox\updater.exe	36
C:\Program Files\Mozilla Firefox\updater.exe	35
C:\Program Files\Mozilla Thunderbird\updater.exe	35
C:\Program Files\Mozilla Thunderbird\updater.exe	41
C:\program files\Mozilla Thunderbird\updater.exe	35

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_powersploit_empire_schtasks.yml	`- 'Updater'`	DRL 1.0
sigma	proc_creation_win_susp_disable_raccine.yml	`- 'Raccine Rules Updater'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Program Files\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- '\Program Files (x86)\Notepad++\updater\GUP.exe'`	DRL 1.0
sigma	proc_creation_win_susp_gup.yml	`- Execution of tools named GUP.exe and located in folders different than Notepad++\updater`	DRL 1.0
LOLBAS	Gpup.yml	`- 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '`
LOLBAS	OneDriveStandaloneUpdater.yml	`Description: OneDrive Standalone Updater`
LOLBAS	Update.yml	`- Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/`
malware-ioc	misp-kryptocibule.json	`"value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe",`	© ESET 2014-2018
malware-ioc	kryptocibule	`.Updater (`Updater.exe`)`	© ESET 2014-2018
malware-ioc	kryptocibule	`%ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe`	© ESET 2014-2018
atomic-red-team	T1574.001.md	Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	%APPDATA%\updater.exe -Command exit	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	del %APPDATA%\updater.exe >nul 2>&1	MIT License. © 2018 Red Canary
signature-base	apt_wildneutron.yar	$s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */	CC BY-NC 4.0
signature-base	apt_wildneutron.yar	$s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */	CC BY-NC 4.0
signature-base	crime_nkminer.yar	$f = “C:\Windows\Sys64\updater.exe” wide ascii	CC BY-NC 4.0
signature-base	gen_rats_malwareconfig.yar	$string10 = “DynDNS\Updater\config.dyndns” wide	CC BY-NC 4.0
stockpile	1258b063-27d6-489b-a677-4807faacf868.yml	`"microsoft.tri.sensor.updater",`	Apache-2.0