Suspicious 'updater.exe' file appears to be using Dropbox to get through the firewall

JGarnettAU

I've been having an issue with a .EXE file that is bypassing the Application Access tab and creating new Rules that allow it access to the internet. It initially seems legit as it is located in a Dropbox-named folder. These are the details:

I have Dropbox installed at 
     "C:\Program Files (x86)\Dropbox"
and within the
     "C:\Program Files (x86)\Dropbox\Update"
folder, the executable is named
     "DropboxUpdate.exe"

Above details the legitimate Dropbox install. However, there has recently been a second Dropbox presence on my PC, presumably using Dropbox credentials to walk through my firewall. I use BitDefender.

The second presence is located at
     "C:\Program Files\Dropbox\DropboxUpdater\123.0.6299.61"
and is named
     "updater.exe"

I initially didn't see it as suspicious due to the "Dropbox"-named folder in it's path. However, whenever it connected to the internet, it downloaded a file, then created a folder named
     "C:\Program Files\chrome_unpacker_beginunzipping33496_1121615137\"
The number string was different for each file, but followed the same pattern of 5 and 10 numbers.

This folder contained a filed named 
     "dropboxclientinstaller.exe"
which would then connect to the internet, however, it didn't show up in the "Application Access" tab of the Bitdefender Firewall, but did create a new "Rule" in that tab, with access allowed.

It then downloaded a separate .RAR file to the following folder and deleted itself, leaving the "chrome_unpacker*" folder in place.
     "C:\Program Files\Dropbox\DropboxUpdater\123.0.6299.61"

Here, I don't know what the files were called, but there were a lot of them there. As soon as I found them, I deleted the lot, as well as all other related folders and files. I required Admin access to do so, and only after I had deleted everything else could I deleted the "updater.exe" file.

Because there was a delay in what I could delete, I had second thoughts and made an archive of the remainder, which is attached.

Please don't open it outside of a sandbox or secure environment. I don't know what it does. I only know enough that I should report it.

This is the filescan.io report, which lists it as Benign, but does flag a bunch of things.
https://www.filescan.io/uploads/67972ede39aa2bdf29b29314/reports/1ee54b45-6aea-42f9-8af4-d4d44bcf0509/overview

Alexandru_BD

Hello @JGarnettAU,

I think these are almost certainly legitimate Dropbox files used to install and update the Dropbox desktop client. You can check the digital signature (right-click → Properties → Digital Signatures tab). Legitimate files should be signed by “Dropbox, Inc.” Then, you can also scan this file with Bitdefender to confirm it’s safe.
Based on my findings, the folder indicates a specific version of the Dropbox Updater or client.

However, if you still have concerns regarding this, the Bitdefender anti-malware engineers can perform some detailed checks, for peace of mind. We won't be able to conduct an investigation on the forum, but I'll leave the link to contact them below:

https://www.bitdefender.com/consumer/support/help/

Before reaching out to them, you can use the BDsysLog scan utility to collect information about any possible threats. BDsysLog is a malware analysis tool created by Bitdefender Labs. It performs a deep scan of critical system areas to enable security experts to identify evasive and unknown malware threats on your PC. Here's the complete guide on how to use it:

https://www.bitdefender.com/consumer/support/answer/1922/

Once you have all the required information, use the previous link to contact Bitdefender Support. State your contact reason / choose request category, then choose from the available contact channels, chat, phone and email/ticket. Chat would be the fastest way to reach them.

Let us know how it goes and if they could find anything suspicious there.

Much appreciated.

Regards,

Alex