Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virus total flags this as a trojan #3

Open
idan-h opened this issue Aug 8, 2024 · 6 comments
Open

Virus total flags this as a trojan #3

idan-h opened this issue Aug 8, 2024 · 6 comments

Comments

@idan-h
Copy link

idan-h commented Aug 8, 2024

Hey, I did 2 different checks as my antivirus (windows) started screaming.

https://www.virustotal.com/gui/file/610ab4b0a7c8529254ffc894256a0f77621c975c6014a5d799d4e8c1e330ea9b
https://www.virustotal.com/gui/file/3ada80cacda5e82adfe3bea72fcabf62e267700d846a7351913b18ac27c527d3

There are some unexplained external ip calls. I have looked at the code, and didn't see any. How is that possible? what is going on there?
@mrexodia
Copy link
Member

mrexodia commented Aug 8, 2024

Most likely your computer is infected with malware?

@idan-h
Copy link
Author

idan-h commented Aug 8, 2024

Most likely your computer is infected with malware?

The first check was not compiled by me, so I am not sure why would malware purposfully stick to a random exe on my pc.. But maybe you can try as well, so we could see a comparison

@mrexodia
Copy link
Member

mrexodia commented Aug 8, 2024

I uploaded the one I compiled in 2020 (and signed today): https://www.virustotal.com/gui/file/b82efad6ad8769cde966b01c4356b29a54651b02f5c8e79e551a32877e964c1e

@idan-h
Copy link
Author

idan-h commented Aug 9, 2024

I uploaded the one I compiled in 2020 (and signed today): https://www.virustotal.com/gui/file/b82efad6ad8769cde966b01c4356b29a54651b02f5c8e79e551a32877e964c1e

It still thinks it is infected and still shows calls, but more focused on verifying the certificate.

I think it would be better to check it unsigned to reduce the noise.

They might be calls related to .net? But for some reason they from multiple servers with different cloud providers, like google and some others, which does not make sense, as would expect only microsoft..

@mrexodia
Copy link
Member

mrexodia commented Aug 9, 2024

Here is the unsigned one: https://www.virustotal.com/gui/file-analysis/OTI5Yjk5ODgxMGVlMDBlNmQwODQ2NmE4YzViN2E1Zjk6MTcyMzE5NDQ3MQ==

Unless there has been malware in one of the NuGet packages for 4+ years I think these are just false positives. A quick look in dnSpy also reveals nothing. The executable just exits because no arguments are provided.

I think that these behavioral artifacts are a side effect of the sandbox, because when I add the following filter to Wireshark and run PluginDevBuildTool.exe it doesn't show any connections: ip.addr == 204.79.197.203 or ip.addr == 172.217.214.94 or ip.addr == 192.168.0.47 or ip.addr == 20.99.133.109 or ip.addr == 23.216.81.152. Additionally when using Process Monitor it shows no network connections at all from PluginDevBuildTool.exe

@idan-h
Copy link
Author

idan-h commented Sep 3, 2024

Tbh I didn't have the time to look at it more deeply, but they aren't. My guess is that they are related to the .net framework, and that the exe triggers them, but they still seem quite weired.

The best check would be to compile without the IL Merge, and see if that's what causing the positives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrexodia @idan-h