Jump to content

Mouse Clicker EXE undetected


Nightowl

Recommended Posts

  • Most Valued Members

This software is considered as CoinMiner by different AVs and also Kaspersky , I have sent the sample 2 times but I never got any reply about it

HitmanPro also picks it up because it uses Kaspersky database

https://www.virustotal.com/gui/file/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d/detection

Could be that a false positive by other AVs ?

Link to comment
Share on other sites

  • Administrators

I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running.

Link to comment
Share on other sites

  • Most Valued Members
38 minutes ago, Marcos said:

I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running.

I've scanned the installer multiple times , no I didn't try to install the software itself , but I still have the installer

HitmanPro picks it up as a trojan (the installer) , ESET is not picking up , but I tried to send the sample 2 times , once from product gui and second time from email.

But argh I get it now , it's running a TASKKILL on it self , because incase this was an update so it would terminate the application inorder to be able to install the update , what this has to do with the naming of COIN MINER

Edited by Rami
Link to comment
Share on other sites

@Rami, did you read the comments for this installer on VT? Most consider the detections as a FP.

Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis.

Link to comment
Share on other sites

  • Most Valued Members
54 minutes ago, itman said:

@Rami, did you read the comments for this installer on VT? Most consider the detections as a FP.

Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis.

Yes I did read the comments this is why I said it might be a FP , never heard about HA , I will try them

result is here : https://www.hybrid-analysis.com/sample/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d

Edited by Rami
Link to comment
Share on other sites

  • Most Valued Members
4 hours ago, itman said:

Here's an analysis of what appears to be a later version: https://any.run/report/c77cf8ebd52d044362c7f5d1a8e3fc444488371985a8c0f2902420b93bc44001/2bdc9ed2-5ebe-42a9-beb4-f35fa778bd37#registry

In this case, the determination was suspicious.

Thank you for both sites , both are useful I didn't know about them

Link to comment
Share on other sites

  • ESET Insiders
3 hours ago, itman said:

BTW - the clean version of this software is here: https://sourceforge.net/projects/fast-mouse-clicker-pro/

Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection

Sourceforge download from https://sourceforge.net/projects/fast-mouse-clicker-pro/files/

Seems like a false positive to me.

Edited by stackz
Link to comment
Share on other sites

12 hours ago, stackz said:

Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection

The subject of this thread was not this latest version, it was for an earlier version.

Link to comment
Share on other sites

  • ESET Insiders
25 minutes ago, itman said:

The subject of this thread was not this latest version, it was for an earlier version.

I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky.

Link to comment
Share on other sites

49 minutes ago, stackz said:

I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky.

Something is not right here.

I scanned at VT using the download file hash, d34c38f366acfbaa245985edec785e0b42a08fafcd60841071165276684a1ac0, provided on the SourceForge web site link I posted. That shows only one detection by some obscure AV solution.

Note that the VT scan link you posted is for this file hash, cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218.

Note that your download location is different from the one directed to from the SourceForge link I posted. Further, I see different URLs being displayed each time I click on the download tab. Appears to me the SourceForge site might be hacked again for the umpteenth time.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...