Solved Analysis request: suspicious file in depth

Status
Not open for further replies.
E

elizabethgilliest5

New Member
Thread author
Feb 26, 2026
14
14
4
Good afternoon, I am contacting you to ask you to please examine this file called Moo0 Video Converter. I have scanned it with VirusTotal, Hybrid Analysis, and Triage, and I have sent you the reports (behavior, etc.). Chat GPT in reasoning mode and it has told me that it is suspicious, but that this is due to certain aspects of the program's installation. I know that the program is not signed and is not the most impressively packaged program in the world, but I need an expert to look into the program because it is the only one I use to convert videos, as it has special options that no other program has, such as Handbrake, Avidemux, FFmpeg, Shuter encoder, etc. That's why I need to get to the bottom of this and cite facts, not assumptions about what might or might not be the case, to know whether I should forget about this program for good. I've been using the software for approximately 5 to 6 years. I want to get to the bottom of this issue. I want you to investigate the mitreck, the connections, the installer. If it's not a virus, I want to know why it's not a virus, not a supposition. If it is a virus, I want to know why and specify where the virus is and what the virus is. Thank you very much, and I hope you understand that I'm not looking for a generic analysis, but a perfect one where there is no doubt about where or why it is or is not a virus.
 
Last edited by a moderator:
  • Like
Reactions: Sorrento and Halp2001

Moo0 - Herramientas gratuitas útiles para Windows (no MooO)

Desarrollamos muchos programas simples y útiles, con el objetivo de hacer que nuestra vida cotidiana sea más cómoda. La mayoría de nuestro software es gratis. Por favor, eche un vistazo a nuestra lista de programas y compruebe si hay algo útil para usted. ¡Tenga una buena computación!
spa.moo0.com spa.moo0.com
Moo0 Video Converter es este programa

imagen_2026-02-26_062136136.png
 
Last edited by a moderator:
  • Like
Reactions: Sorrento
  • Like
Reactions: Sorrento
Sending request to SiriusLLM Model 0...

Model 0 confidence (75% Malicious) is below the 90% confidence threshold.
Sending request to Model 1...

Selected result: Malicious with 95% confidence from Model 1.

Total tokens: 7444 (5545 request / 1899 response)

File path: C:\Users\User\Downloads\Moo0 VideoConverter v1.28 Installer.exe
File hash: 06dad960d718113b45a47e4a91ee4421471a33e165a7c41260b64d47ff5b8dc7
File size: 22,61 MB
File publisher: This file is a signable file type but has not been digitally signed.

Final Verdict: Not Safe with 95% confidence.

Analysis Summary
The file claims to be “Moo0 VideoConverter v1.28 Installer.exe”. While the embedded version block matches that branding, the binary requests requireAdministrator elevation, is completely unsigned, and contains an unusually large resource section (21 MB of the 23 MB file). Entropy values in several sections exceed 7.8, consistent with compressed/encrypted content rather than typical installer resources. No valid security directory is present and the checksum is zeroed—both common in packers or wrappers used to hide payload code. The Import Address Table is small (300 bytes) yet 471 imports are resolved at runtime, indicating heavy reliance on Run-time dynamic linking (GetProcAddress/LoadLibrary) – a classic evasion trick. Taken together these attributes strongly suggest the file is not a legitimate Moo0 installer but rather a disguised dropper or bundled installer that will silently deploy additional payloads once executed with administrative rights.

Detailed Analysis
- Digital signature: absent. A legitimate Moo0 installer from 2019 would almost always be signed by “Moo0” or the author’s certificate.
- Manifest requestedExecutionLevel: requireAdministrator – grants the process SYSTEM-equivalent privileges on UAC-consent, giving malware freedom to implant drivers/services.
- Section entropy: .rsrc (8.00) and several other sections (>7.5) indicate encryption or compression – legitimate installers rarely hide assets to this degree.
- Resource table size 21 977 304 bytes (≈ 96 % of the file) – typical for a stub loader whose real purpose is to unwrap an embedded PE/MSI/Archive.
- ImportCount vs ImportTableSize mismatch: 471 APIs are listed but the table itself is only 300 bytes – proof that most imports are fetched at runtime.
- Imports include: URLDownloadToFileW, InternetConnectW, HttpSendRequestW, RegCreateKeyExW, RegSetValueExW, CreateThread, VirtualAlloc, LoadLibraryA, GetProcAddress, ShellExecuteExW, SHFileOperationW – a standard tool-set for downloading remote files, achieving persistence, and injecting code.
- Strings contain zlib error messages (“incorrect header check”, “invalid window size”, etc.) and .NET compression evidence, confirming the wrapper’s purpose is to unpack an inner payload.
- Overlay is 0 bytes, so no appended raw data; the payload is entirely hidden inside the oversized resource directory.

Indicators of Compromise
Feature: DangerousImportedLibrariesNormalized – 36.01
Definition: Normalised percentile of known-dangerous import libraries (black-listed API sets).
Indicates: Score > 30 is high; the file imports 36 % of dangerous APIs relative to total, far above benign installers.
IoC: Strong signal for malicious downloader/dropper behaviour.

Feature: SectionEntropy8 – 8.00
Definition: Shannon entropy of the 8th section (here the resource section).
Indicates: Entropy ≥ 7.8 implies encryption/compression rather than icons/bitmaps.
IoC: Resource section encrypted to hide embedded payload.

Feature: ResourceTableSize – 21977304
Definition: Total size of the resource directory.
Indicates: 21 MB resource in a 23 MB binary.
IoC: Typical of stubs that carry an entire inner installer/PE blob inside resources.

Feature: ImportTableSize – 300
Definition: Raw byte size of the import table.
Indicates: Import table is far too small to describe 471 imports.
IoC: Most APIs resolved dynamically via GetProcAddress – evasion technique to hide intent from static scanners.

Feature: RequestedExecutionLevel – requireAdministrator
Definition: UAC execution level from manifest.
Indicates: Forces elevation on launch.
IoC: Grants attacker full system access; rarely requested by honest video-converter installers.

Feature: ValidSecurityDir – False
Definition: Security directory (certificate table) is malformed or absent.
Indicates: Unsigned binary.
IoC: Legitimate commercial installers are almost always signed; absence plus other anomalies strengthens malicious probability.

Feature: URLDownloadToFileW – present
Definition: Imported URL-moniker function to download files.
Indicates: Capability to fetch remote payloads.
IoC: Legitimate installers typically embed payloads locally; remote retrieval is common for droppers.

Feature: InternetConnectW / HttpOpenRequestW / HttpSendRequestW – all present
Definition: WinINet APIs for HTTP communications.
Indicates: Program can contact remote servers and pull down additional code.
IoC: Combines with previous indicator to form classic downloader pattern.

Feature: RegCreateKeyExW / RegSetValueExW – present
Definition: Registry manipulation APIs.
Indicates: Can establish run keys or services for persistence.
IoC: Necessary for achieving autostart after reboot.

Feature: CreateThread / TerminateThread – present
Definition: Thread-creation functions.
Indicates: Can spawn background tasks or inject into other processes.
IoC: Often used for reflective injection or unpacking in memory.

Feature: VirtualAlloc / VirtualProtect – present
Definition: Memory-allocation & protection APIs.
Indicates: Allows RWX shellcode staging and execution.
IoC: Core primitive for unpacking encrypted payloads or shellcode injection.

Feature: LoadLibraryA / GetProcAddress – present
Definition: Dynamic resolution of DLLs/functions.
Indicates: Obfuscation of import dependencies.
IoC: Classic malware technique to hide functionality from static import tables.

Feature: SHFileOperationW – present
Definition: Shell file-operation helper.
Indicates: Can copy/move itself or delete artefacts.
IoC: Often abused for self-duplication into hidden folders.

Feature: Zero checksum – 0x00000000
Definition: OptionalHeaderCheckSum field is zero.
Indicates: Image checksum not validated by loader.
IoC: Packers frequently null the field; legitimate installers generally have correct checksum.

Portable Executable Imports
Additional noteworthy imports not covered above: RegDeleteKeyW, RegDeleteValueW, AdjustTokenPrivileges, LookupPrivilegeValueW – gives capability to remove trails and elevate tokens. CreateToolhelp32Snapshot / Process32First / Process32Next allow enumeration of running processes (preparation for injection or killing security tools). FindFirstFileExW / SetFileAttributesW used for directory walking and attribute hiding. Overall import set is far more aligned with system-level malware than with a GUI multimedia installer.

Portable Executable Exports
The binary exports nothing – normal for a packed dropper/installer stub.

Portable Executable Strings
Human-readable strings bolster the wrapper theory: “Extracting”, “Password is not defined”, “CRC Failed”, “incompatible version”, plus multiple zlib diagnostics. These are typical of stub installers that decompress and execute an inner archive. No hard-coded URLs were recovered in the first 50 strings, but the presence of download APIs compensates for that.

Likely Software Type / Purpose
The file is most probably a malicious dropper/bundler masquerading as the legitimate Moo0 VideoConverter installer. Its true purpose is to obtain administrator rights, unpack/decrypt a hidden payload from its resource section, and possibly download additional components from the Internet.

Malware type: Dropper
Malware name: Dropper.Moo0FakeInst
Final verdict: Malicious with 95% confidence.
Click to expand...
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Xtwillight, Berny, Sorrento and 4 others
However, it does not specifically tell me where the virus is located; it is only a generic analysis that does not specify where the behavior problem is.
 
TuxTal, what is your verdict? What should I think about this file that was created in 2008 and stopped being updated in 2019? Is it a virus? All these years that I had this program installed, was it always a virus? I always downloaded it from the official website that I mentioned.
 
Last edited by a moderator:
  • Like
Reactions: Sorrento
From what I’ve read so far, it seems that the installer of Moo0 Video Converter v1.28 is not as innocent as it appears. Although it presents itself as a video conversion program, the analyses show behaviors typical of a malicious file: it lacks a digital signature, requests administrator permissions, stores almost all of its content in an encrypted section, and uses techniques to hide what it really does. On top of that, it includes functions that could download other programs without notice, modify system settings, and run hidden processes.

In simple terms: this file acts like a Trojan horse, disguised as a legitimate installer, but with the ability to introduce malware into your computer. The experts who reviewed it concluded with high confidence that it is dangerous and should not be installed.⚠️💻🕵️
 
  • Applause
  • Like
Reactions: Sorrento, harlan4096 and Jonny Quest
So I always had a program installed that carried viruses? Even though it really did the job of converting, which it does so well that no other program I know of can beat it, they made this program so well that it surpasses others that are even paid for, just to end up infecting it with a virus? I'm in shock. I don't know whether to believe any of you. I feel very confused, friends. If anyone wants to add another opinion, I would appreciate it with facts and files. Thank you very much for your support. That program is or was my idol. I don't know.
 
  • Like
Reactions: Sorrento
elizabethgilliest5 said:
This file that was created in 2008 and stopped being updated in 2019
Click to expand...
First alert. Do not use outdated/abandoned software if you care about security.

The provided analysis reports are pretty solid. If you want 100% proof that this file is malicious, then it gets kind of tricky. If would take several hours or days of testing and tracking. Trust the reports and drop this software.
 
  • Like
Reactions: Sorrento, Jonny Quest, harlan4096 and 1 other person
I sent the reports to ChatGPT, and they say that their verdict is that it is a bad installer but that it is not a virus. I don't know who to believe. They are confusing me a lot.
 
Last edited by a moderator:
  • Like
Reactions: Sorrento
@elizabethgilliest5

Moo0 Video Converter is a benign, transparent utility suffering from severe architectural obsolescence. Forensic parsing confirms the absence of malicious intent, credential harvesting, or unauthorized network exfiltration. However, its engineering hygiene violates modern security mandates. The reliance on an outdated MSVC toolchain without ASLR/DEP memory protections, paired with an antique FFmpeg backend, exposes the user to remote code execution (RCE) if a maliciously crafted media file (e.g., a weaponized MKV or MP4) is processed by the application. Because its age is organic and aligns with its legacy hardware targeting, the Legacy Compatibility Override (LCO) mitigates the decay penalty slightly, preventing a total failure state.

The developers explicitly designed this software for maximum compatibility across older hardware ecosystems (Windows XP/Vista/7), prioritizing a lightweight footprint and simple UX over modern, bloated frameworks. The absence of ASLR and DEP was a standard, albeit flawed, practice for ensuring compatibility with 32-bit XP environments at the time of its initial engineering. The application fulfills its exact stated purpose reliably without injecting adware, bundleware, or tracking telemetry into the user's host machine.

To prevent false positives caused by the file's functions and its lack of a digital signature, please submit it to your security suite vendor for analysis.
 
Last edited by a moderator:
  • Like
  • Hundred Points
Reactions: harlan4096, Halp2001 and Jonny Quest
si noes virus cual es el riesgo

Muy buena pregunta. Vamos a separar conceptos con precisión.

Si no es malware, el riesgo no es “infección directa”, sino estos escenarios:

1️⃣ Riesgo de vulnerabilidad (no de intención maliciosa)​

El análisis que compartiste menciona:

  • Software antiguo
  • Toolchain viejo
  • Posible falta de ASLR/DEP
  • Backend FFmpeg antiguo
Eso significa que:

👉 Si el programa procesa un archivo multimedia malicioso, podría existir una vulnerabilidad explotable (por ejemplo, un archivo MP4/MKV diseñado para provocar corrupción de memoria).

Esto sería un riesgo de ejecución remota (RCE), pero solo si:

  • Abres archivos no confiables.
  • El exploit existe y no está parcheado.
No es que el programa “sea virus”, sino que podría ser una superficie de ataque si manejas contenido peligroso.

2️⃣ Riesgo de empaquetado / comportamiento heurístico​

Las sandboxes marcaron:

  • Alta entropía
  • Sección .rsrc grande
  • Imports dinámicos
  • Requiere administrador
Eso no es malware en sí mismo, pero:

👉 Es una técnica común tanto en software legítimo empaquetado como en droppers.

El riesgo aquí es falta de transparencia, no infección automática.

3️⃣ Riesgo de confianza​

El archivo:

  • No está firmado digitalmente.
  • Es una versión antigua.
  • Usa conexiones a su servidor.
Eso significa que debes confiar en:

  • Que el sitio oficial no fue comprometido.
  • Que el instalador no fue reemplazado.
Ese es un riesgo de cadena de suministro, no de código malicioso confirmado.

4️⃣ Riesgo operacional​

Si lo instalas con:

  • Permisos de administrador
  • Sin firewall
  • En tu sistema principal
Entonces el impacto potencial de cualquier vulnerabilidad sería mayor.

Pero eso aplica a cualquier programa que ejecutes como admin.

🎯 Entonces, si no es virus, ¿qué riesgo real queda?​

En tu caso, el riesgo más realista sería:

✔ Riesgo bajo de vulnerabilidad si abres archivos maliciosos.
✔ Riesgo bajo-medio por falta de firma digital.
✔ Riesgo bajo por empaquetado fuerte que genera alertas heurísticas.

No hay evidencia de:

  • Robo de datos
  • Exfiltración
  • Keylogging
  • Persistencia oculta confirmada
  • C2 malicioso activo
Eso es importante.
Click to expand...
 
Last edited by a moderator:
Does the SHA-256 match the official installer published by Moo0?
Can you confirm the current official hash from the developer’s website?
Is there a digitally signed version of the same installer?
If it is not signed, is there any documented reason?
Are the detections in Triage/Filescan consistent with clean versions of the same file?
Does the observed behavior occur only due to heuristics (for example, packing/high entropy)?
Is there evidence of:

External payload download?
Real persistence?
Injection into other processes?
System modification?
Is the file packed with any legitimate protector?
Is the high entropy in .rsrc normal in this type of older installers?
Could you compare it with a known clean version?
Are the connections to bin.moo0.com part of the update system?
Is there public documentation of the update mechanism?
Are additional components downloaded automatically?
Is there any evidence of confirmed malicious behavior?
Or is the entire analysis based on heuristics?
What specific indicator proves malicious intent? Is there any proof of real malicious execution (payload, C2, persistence) or only structural PE indicators?
 
Last edited by a moderator:
  • Like
Reactions: Sorrento
Thank you very much for helping me. I find it very difficult to understand them. I am not an expert, but I try.
 
Last edited by a moderator:
  • Like
Reactions: Sorrento
Subject: Conclusion on Moo0 Video Converter

After reviewing @Divergent ’s detailed analysis, the final conclusion seems quite clear:

Your program is not a virus, but it is a "technological fossil."

To put it simply: the security alerts you are seeing (like the 95% malicious score) happen because the software is so old that it doesn’t follow today’s security standards. It behaves like a "suspicious" program because it was built with tools from 15 years ago, but it doesn't have a malicious intent to steal your data.

In summary:

  • Is it a virus? No, it is a legitimate program, but it's highly obsolete.
  • Is it safe to use? Here is the catch. It’s not dangerous because it wants to attack you, but because it is "weak" due to its age. If you try to convert a video that contains hidden malicious code, the program won't know how to defend itself, and your PC could be exposed.
My recommendation:If you love it for its unique features, try running it inside a Sandbox or a Virtual Machine to isolate it from your main system. This way, you keep the tool you like without opening a backdoor in your current security. Sometimes the convenience of the old world clashes with the security of the new one!

🦖🛡️💻
 
  • Like
  • Hundred Points
Reactions: Sorrento, harlan4096, Jonny Quest and 1 other person
Status
Not open for further replies.

You may also like...