Jump to content
Rami

Mouse Clicker EXE undetected

Recommended Posts

This software is considered as CoinMiner by different AVs and also Kaspersky , I have sent the sample 2 times but I never got any reply about it

HitmanPro also picks it up because it uses Kaspersky database

https://www.virustotal.com/gui/file/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d/detection

Could be that a false positive by other AVs ?

Share this post


Link to post
Share on other sites

I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running.

Share this post


Link to post
Share on other sites
38 minutes ago, Marcos said:

I would say that it's detected because the installer runs '"C:\Windows\system32\taskkill.exe" /f /im TheFastestMouseClicker.exe" in case the app was already running.

I've scanned the installer multiple times , no I didn't try to install the software itself , but I still have the installer

HitmanPro picks it up as a trojan (the installer) , ESET is not picking up , but I tried to send the sample 2 times , once from product gui and second time from email.

But argh I get it now , it's running a TASKKILL on it self , because incase this was an update so it would terminate the application inorder to be able to install the update , what this has to do with the naming of COIN MINER

Edited by Rami

Share this post


Link to post
Share on other sites

@Rami, did you read the comments for this installer on VT? Most consider the detections as a FP.

Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis.

Share this post


Link to post
Share on other sites
54 minutes ago, itman said:

@Rami, did you read the comments for this installer on VT? Most consider the detections as a FP.

Submit the .exe to Hybrid-Analysis for a scan. Suspect it already has been scanned. Post back what the verdict is from Hybrid-Analysis.

Yes I did read the comments this is why I said it might be a FP , never heard about HA , I will try them

result is here : https://www.hybrid-analysis.com/sample/6b2510078aa894478e1b8ea051c452a865eec6990fed114cfbab6507f7b2424d

Edited by Rami

Share this post


Link to post
Share on other sites

I would go with the Hybrid-Analysis verdict of malicious. Note that the confidence level is 100%.

Share this post


Link to post
Share on other sites
4 hours ago, itman said:

Here's an analysis of what appears to be a later version: https://any.run/report/c77cf8ebd52d044362c7f5d1a8e3fc444488371985a8c0f2902420b93bc44001/2bdc9ed2-5ebe-42a9-beb4-f35fa778bd37#registry

In this case, the determination was suspicious.

Thank you for both sites , both are useful I didn't know about them

Share this post


Link to post
Share on other sites

Of note is Kaspersky on VT also detects this as a coin miner. That's good enough for me. Don't know what Eset's excuse for not detecting it is.

Share this post


Link to post
Share on other sites
3 hours ago, itman said:

BTW - the clean version of this software is here: https://sourceforge.net/projects/fast-mouse-clicker-pro/

Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection

Sourceforge download from https://sourceforge.net/projects/fast-mouse-clicker-pro/files/

Seems like a false positive to me.

Edited by stackz

Share this post


Link to post
Share on other sites
12 hours ago, stackz said:

Here's the VT report for Setup_TheFastestMouseClicker_2_1_5_1.exe from sourceforge: https://www.virustotal.com/gui/file/cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218/detection

The subject of this thread was not this latest version, it was for an earlier version.

Share this post


Link to post
Share on other sites
25 minutes ago, itman said:

The subject of this thread was not this latest version, it was for an earlier version.

I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky.

Share this post


Link to post
Share on other sites
49 minutes ago, stackz said:

I was just pointing out that a later version from your clean link has a similar number of coin miner detections including Kaspersky.

Something is not right here.

I scanned at VT using the download file hash, d34c38f366acfbaa245985edec785e0b42a08fafcd60841071165276684a1ac0, provided on the SourceForge web site link I posted. That shows only one detection by some obscure AV solution.

Note that the VT scan link you posted is for this file hash, cbfdd4037e9f01eb0219c52e36a1e1f4c5988a91ee32df9b7951da25e7aa9218.

Note that your download location is different from the one directed to from the SourceForge link I posted. Further, I see different URLs being displayed each time I click on the download tab. Appears to me the SourceForge site might be hacked again for the umpteenth time.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...