Most Valued Members Nightowl 206 Posted September 26, 2019 Most Valued Members Share Posted September 26, 2019 This software is considered as CoinMiner by different AVs and also Kaspersky , I have sent the sample 2 times but I never got any reply about it HitmanPro also picks it up because it uses Kaspersky database https://www.virustotal.com/gui/file/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d/detection Could be that a false positive by other AVs ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted September 26, 2019 Administrators Share Posted September 26, 2019 I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted September 26, 2019 Author Most Valued Members Share Posted September 26, 2019 (edited) 38 minutes ago, Marcos said: I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running. I've scanned the installer multiple times , no I didn't try to install the software itself , but I still have the installer HitmanPro picks it up as a trojan (the installer) , ESET is not picking up , but I tried to send the sample 2 times , once from product gui and second time from email. But argh I get it now , it's running a TASKKILL on it self , because incase this was an update so it would terminate the application inorder to be able to install the update , what this has to do with the naming of COIN MINER Edited September 26, 2019 by Rami Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 26, 2019 Share Posted September 26, 2019 @Rami, did you read the comments for this installer on VT? Most consider the detections as a FP. Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted September 26, 2019 Author Most Valued Members Share Posted September 26, 2019 (edited) 54 minutes ago, itman said: @Rami, did you read the comments for this installer on VT? Most consider the detections as a FP. Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis. Yes I did read the comments this is why I said it might be a FP , never heard about HA , I will try them result is here : https://www.hybrid-analysis.com/sample/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d Edited September 26, 2019 by Rami Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 26, 2019 Share Posted September 26, 2019 I would go with the Hybrid-Analysis verdict of malicious. Note that the confidence level is 100%. Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 26, 2019 Share Posted September 26, 2019 Here's an analysis of what appears to be a later version: https://any.run/report/c77cf8ebd52d044362c7f5d1a8e3fc444488371985a8c0f2902420b93bc44001/2bdc9ed2-5ebe-42a9-beb4-f35fa778bd37#registry In this case, the determination was suspicious. Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted September 26, 2019 Author Most Valued Members Share Posted September 26, 2019 4 hours ago, itman said: Here's an analysis of what appears to be a later version: https://any.run/report/c77cf8ebd52d044362c7f5d1a8e3fc444488371985a8c0f2902420b93bc44001/2bdc9ed2-5ebe-42a9-beb4-f35fa778bd37#registry In this case, the determination was suspicious. Thank you for both sites , both are useful I didn't know about them Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 26, 2019 Share Posted September 26, 2019 Of note is Kaspersky on VT also detects this as a coin miner. That's good enough for me. Don't know what Eset's excuse for not detecting it is. Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 26, 2019 Share Posted September 26, 2019 BTW - the clean version of this software is here: https://sourceforge.net/projects/fast-mouse-clicker-pro/ Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted September 26, 2019 ESET Insiders Share Posted September 26, 2019 (edited) 3 hours ago, itman said: BTW - the clean version of this software is here: https://sourceforge.net/projects/fast-mouse-clicker-pro/ Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection Sourceforge download from https://sourceforge.net/projects/fast-mouse-clicker-pro/files/ Seems like a false positive to me. Edited September 27, 2019 by stackz Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 27, 2019 Share Posted September 27, 2019 12 hours ago, stackz said: Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection The subject of this thread was not this latest version, it was for an earlier version. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted September 27, 2019 ESET Insiders Share Posted September 27, 2019 25 minutes ago, itman said: The subject of this thread was not this latest version, it was for an earlier version. I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky. Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 27, 2019 Share Posted September 27, 2019 49 minutes ago, stackz said: I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky. Something is not right here. I scanned at VT using the download file hash, d34c38f366acfbaa245985edec785e0b42a08fafcd60841071165276684a1ac0, provided on the SourceForge web site link I posted. That shows only one detection by some obscure AV solution. Note that the VT scan link you posted is for this file hash, cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218. Note that your download location is different from the one directed to from the SourceForge link I posted. Further, I see different URLs being displayed each time I click on the download tab. Appears to me the SourceForge site might be hacked again for the umpteenth time. Link to comment Share on other sites More sharing options...
Recommended Posts