updater.exe

  • File Path: C:\Program Files\Mozilla Thunderbird\updater.exe
  • Description: Thunderbird Software Updater

Hashes

Type Hash
MD5 96AB620199C81ED865C0A07581ADE706
SHA1 4EEDC001606291A6569E5FAC4471F78DC8249FF6
SHA256 5338EC0FB975F7344CEE719FDCB8BD08B4D04F259D5EF3BBEB2715F74B5AD2EE
SHA384 0DC299B93A733C032E560DAEBB1EE61F989D826021F7206D2CCA4EE5AFD94E2469D0389AF6B0B8FEAB3F97367A3287A8
SHA512 25AD4D7F4A7F833AD49891A6C55C08EF92EAD3A333E760B258228D2746358535007A05EE47DA6F49C1F107F76D720AF91740C990C93E7A001E82DBE750A70352
SSDEEP 6144:H8vZA4Jr69GTow/06eO1BUQDIid8ztw921kxwqBNJHtt4oJg3PfcKrKywj:H8vy4RqG8ZOXsa4oJAdGy+
IMP DFF05724D2A6B7F0029D1EB5D51E36A1
PESHA1 106CE85FCCBDC5C486900E051B9C525FCA9E8C21
PE256 C4A88A17B3EA72793B8251CE6129CFCA04377CBE8BA91214F270EE2192402E6F

Runtime Data

Usage (stderr):

Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Program Files\Mozilla Thunderbird\updater.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 0C1CD3EEA47EDDA7A032573B014D0AFD
  • Thumbprint: 1326B39C3D5D2CA012F66FB439026F7B59CB1974
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: updater.exe
  • Product Name: Thunderbird
  • Company Name: Mozilla Foundation
  • File Version: 91.3.0
  • Product Version: 91.3.0
  • Language: Language Neutral
  • Legal Copyright: License: MPL 2
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/5338ec0fb975f7344cee719fdcb8bd08b4d04f259d5ef3bbeb2715f74b5ad2ee/detection

File Similarity (ssdeep match)

File Score
C:\Program Files\Mozilla Firefox\updater.exe 33
C:\Program Files\Mozilla Firefox\updater.exe 36
C:\program files\Mozilla Firefox\updater.exe 36
C:\Program Files\Mozilla Firefox\updater.exe 35
C:\Program Files\Mozilla Thunderbird\updater.exe 35
C:\Program Files\Mozilla Thunderbird\updater.exe 41
C:\program files\Mozilla Thunderbird\updater.exe 35

Possible Misuse

The following table contains possible examples of updater.exe being misused. While updater.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_powersploit_empire_schtasks.yml - 'Updater' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'Raccine Rules Updater' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS OneDriveStandaloneUpdater.yml Description: OneDrive Standalone Updater  
LOLBAS Update.yml - Link: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/  
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Updater.exe", © ESET 2014-2018
malware-ioc kryptocibule .Updater (Updater.exe) © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Updater.exe © ESET 2014-2018
atomic-red-team T1574.001.md Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md %APPDATA%\updater.exe -Command exit MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md del %APPDATA%\updater.exe >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_wildneutron.yar $s12 = “Intel Integrated Graphics Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘12.00’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $s5 = “Adobe Flash Plugin Updater” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.00’ */ CC BY-NC 4.0
signature-base crime_nkminer.yar $f = “C:\Windows\Sys64\updater.exe” wide ascii CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $string10 = “DynDNS\Updater\config.dyndns” wide CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "microsoft.tri.sensor.updater", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.