Weird Results for this File

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
443
1691693869891.png

Not Signed


1691694045165.png

Signed and Trusted?

GPT Says its Emotet.
1691694105519.png


Just wanted to post this...

File can be downloaded on triage.
 
Last edited:

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,159
Just a thought- the dropboxupdate.exe connections out to their server (162.125.8.20 and 162.125.3.13) has been classed as suspicious by some for a couple of years, probably (but not certainly) due to Emotet at one time hijacking DropBox to spread.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Where exact does this specific file come from/found = source?
DropboxUpdateSetup.exe 1.3.761.1

Some of the data is a bit weird. The certificate looks manipulated:

2023-08-12_10-49-56.png


but that does not automatic means, malicious. One have to compare it with a original " update " file from Dropbox main site. I was actually able to find the exact same version number that also have zero flags on VT, and where VT shows the signature correct/valid:


2023-08-12_11-03-32.png


Same version number, but different Hash values. Even the compile date on these 2 files is exact the same, so that's weird. But the first submissions dates are different. Lets see what the original file from Dropbox url shows with the signature:

2023-08-12_11-13-45.png



2023-08-12_11-32-01.png


2023-08-12_11-32-25.png


PE Header and the Overlay Hash is different. Also got some " appended " data.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
This is exactly the same issue as with the Glasswire download we also analysed. Dropbox is also one of those vendors who save data in the certificate, so that the certificate is not broken.

It is not VirusTotal that is weird but Microsoft Windows being weird in allowing manipulated certificates as valid unless you opt-out.

And the reason for allowing it is, well, companies like Dropbox abusing this vulnerability in legit installers. Why? Imagine you download something from a dropbox link but have no dropbox installed. How will it know what you wanted to download without putting this information into the installer somehow? That is why. They cannot sign the installer for each and every download and they do not want to use non-signed ones. So they inject the data into the certificate instead.

@upnorth was completely correct here in his assessment and despite the manipulation the file is clean. VT is also correct.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top