False positive detection (obfuscated file)

[Joth 0]

 

I have a .exe file (the file is an auto-clicker) that I am 99% sure is safe, however, it is obfuscated and I would like to decompile it for that extra 1% of confidence knowing that it's definitely nothing malicious. The file is an auto clicker and as mentioned is obfuscated to protect its code and prevent others from stealing it & repurposing it for malicious purposes. 

The file also uses a HWID login, so only registered users can use the auto clicker - I paid an access fee to become registered. The virustotal scan doesn't look promising, but again, coming from virustotal alone doesn't mean a whole lot and in addition it's also analysing an obfuscated file which is bound to make false positive detections.

I also want to point out that no other antivirus program detects the file as anything suspicious, not malwarebytes, hitmanpro or kaspersky. In fact, none of my subscription programs detected it as potentially harmful until I ran a scheduled ESET security scan last night which instantly detected the file - also want to mention that I ran daily scheduled scans on ESET, none of which detected it as anything potentially harmful up until the one last night.

Virustotal scan results: https://www.virustotal.com/gui/file/09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35?nocache=1

Thank you very much for your help everyone!

[itman 1,659]

Given that there are 37 vendor detections at VirusTotal, I would say the file is malicious.

If you want a second opinion, submit the file to one of the cloud based public sandboxes; Joes Cloud Sandbox, Hybrid-Analysis, or any.run.com.

[Marcos 5,070]

The detection is correct. We've reclassified the detection to TrojanDownloader.

[Joth 0]

27 minutes ago, Marcos said:

The detection is correct. We've reclassified the detection to TrojanDownloader.

Thank you very much Marcos, 

I have to say, I can't get a straight answer from anyone. Literally 10 minutes before your reply (!!!) another admin on a different forum replied to a post similar to this one about the same file and said that the file was in-fact safe to run and did not contain any malware.

The file is an autoclicker, which makes your mouse click when holding down the button & not having to constantly click it manually.

My knowledge in this field is very limited, can you please provide some additional info to what specific malicious detection was found? Because a trojan could be anything...

[Peter Randziak 1,130]

https://www.virusradar.com/en/glossary/downloader-trojan
Downloader, Trojan-Downloader

These terms usually signify malicious programs, components or functionality whose (usually sole) purpose is to download additional (usually malicious) software onto an infected system and execute it.

See also: Dropper

[Joth 0]

1 hour ago, Peter Randziak said:

https://www.virusradar.com/en/glossary/downloader-trojan
Downloader, Trojan-Downloader

These terms usually signify malicious programs, components or functionality whose (usually sole) purpose is to download additional (usually malicious) software onto an infected system and execute it.

See also: Dropper

I'm very confident that it is not a trojan, additionally, the file has been run for years without any issues occurring, and it is not just a random download from a random website. Having said this, is there anyone who can actually analyse the file? It's obfuscated, and I don't believe whoever commented originally knows what to do with that information, as they simply showed it was a trojan. 

No malicious files were dropped, no processes manipulated and functionality wise it works exactly as expected with no hidden processes running in the background. So again, I highly doubt that this is a trojan and would like the file to be analysed to confirm this because it is very annoying that it is still being detected. Additionally, the file was not detected by your AV program until a week or so ago.

[SeriousHoax 83]

It must be malicious. Kaspersky wasn't detecting it. Then I submitted to them an hour ago and got a reply with 20 minutes stating that it's a malware and detection will be added. 

Hello,


New malicious software was found in the requested file. Its detection with verdict Trojan.Win64.Agentb.ktqd will be included in the next update.
Thank you for your help.

Best regards, Alexander Kryazhev, Malware Analyst

So, if you still want to use this file even after detections from all these top AV vendors, then that's your choice. Use at own risk.

[Nevermind 8]

1 hour ago, Joth said:

I'm very confident that it is not a trojan

If you are confident enough, you can always exclude file from detection (or even the detection name)

Quote

the file was not detected by your AV program until a week or so ago.

How exactly do you think AVs work? That you install it once and all the definitions are there from the beginning? Ever heard of updates?

[notimportant 5]

2 hours ago, Joth said:

No malicious files were dropped, no processes manipulated and functionality wise it works exactly as expected with no hidden processes running in the background. So again, I highly doubt that this is a trojan

That doesn't mean it is not capable of dropping malicious files later.

https://www.hybrid-analysis.com/sample/09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35?environmentId=120

MITRE ATT&CK™ Techniques Detection: This report has 10 indicators that were mapped to 11 attack techniques and 3 tactics

[itman 1,659]

On 7/14/2022 at 6:13 AM, Joth said:

I have a .exe file (the file is an auto-clicker

On 7/14/2022 at 6:13 AM, Joth said:

The file also uses a HWID login, so only registered users can use the auto clicker

After researching this, I have a good idea what this software is.

It is game "cheat" software. This software by its very nature is best described as "borderline malware." It performs actions commonly exhibited by malware. Therefore, don't expect anti-virus software and cloud sandbox analysis not to detect it as malware.

Your only alternative here is to create an Eset detection exclusion for the software. At that point, the risk of this software being used maliciously at some point in the future lies with you.

[AnthonyQ 48]

I also submitted the sample in question to Symantec. And here are their findings:

Upon further analysis and investigation we have determined that the following file(s) meet the necessary criteria to be detected by our products and, as such, the detection(s) cannot be revoked:

   File name: 09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35
   MD5: 7ACB4E45D3278C2E4CA04BF277ED4A74
   SHA256: 09430FA20AAC3815BA456F4644F41B41073D4994E538797C172C10A19F825B35
   Detection: Trojan.Gen.2

Therefore, I think this sample is definitely not a false positive.