Hot Take Is this malware?

Status
Not open for further replies.
S

Studynxx

Level 8
Thread author
Verified
Well-known
Jan 20, 2023
429
368
667
I haven't run this executable yet, just looking thru it on a VM. Link: VirusTotal

What bothers me is that Kaspersky and Malwarebytes return "non-malware", but many others say it's a crack (it is tbh). But what REALLY bothers me is that if you look at the behavior, it has hit 2 high-severity (red)
YARA rules. Interestingly enough, the contacted IPs don't appear to be malicious based on VT's findings.

But why would a crack do those things listed in the YARA rules? By the way, when I analyze something with Kaspersky or HitmanPro, do they only apply static analysis, or do they analyse the sample dynamically too?
I'm in the process of learning how to tell if something is malware or not based on VT, WireShark, Process Explorer, etc
 
OK I just clicked on View Matches of the YARA Rules and these don't appear malicious. Those services are to be stopped if it's a crack.
 
opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

I've reported it, waiting the verdict.

But in VT there are many generic detections, so probably a typical FP in VT because a crack.
 
  • +Reputation
  • Like
Reactions: anirbandutta01, Trident, silversurfer and 1 other person
Studynxx said:
I haven't run this executable yet, just looking thru it on a VM. Link: VirusTotal

What bothers me is that Kaspersky and Malwarebytes return "non-malware", but many others say it's a crack (it is tbh). But what REALLY bothers me is that if you look at the behavior, it has hit 2 high-severity (red)
YARA rules. Interestingly enough, the contacted IPs don't appear to be malicious based on VT's findings.

But why would a crack do those things listed in the YARA rules? By the way, when I analyze something with Kaspersky or HitmanPro, do they only apply static analysis, or do they analyse the sample dynamically too?
I'm in the process of learning how to tell if something is malware or not based on VT, WireShark, Process Explorer, etc
Click to expand...
Cracks are often flagged by security tools because they use techniques that are also common in malware. To bypass security measures and modify a program, a crack may employ methods like code injection, memory manipulation, and hooking, all of which are also used by malicious software to hijack processes or alter system behavior. Additionally, cracks are frequently packed or obfuscated, hiding their code from static analysis, a tactic that malware uses to evade detection.

Even when a crack doesn't contain a hidden malicious payload, its actions are often deemed suspicious by security tools. For example, a crack's attempt to disable a software's license verification process can look identical to a piece of malware trying to disable a security product. This overlap in behavior is a key reason why security software is designed to treat cracks with extreme caution.

This is where the importance of static analysis becomes clear. While cracks often use packing and obfuscation to evade simple signature-based detection, advanced static analysis tools can still find suspicious patterns. These tools are designed to identify the tell-tale signs of techniques like code injection and memory manipulation, which are necessary for the crack to function. By examining the file's structure, its imported functions, and the high-severity YARA rules it triggers, static analysis provides crucial clues about the file's intent, even when the code is deliberately hidden or disguised.
 
  • +Reputation
  • Like
  • Hundred Points
Reactions: roger_m, Parkinsond, harlan4096 and 3 others
harlan4096 said:
opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

I've reported it, waiting the verdict.

But in VT there are many generic detections, so probably a typical FP in VT because a crack.
Click to expand...
They really need to start servicing paying customers, honestly. They can just run my email address and see I've been paying for 3 years.
 
  • Wow
Reactions: anirbandutta01 and Sorrento
Divergent said:
Cracks are often flagged by security tools because they use techniques that are also common in malware. To bypass security measures and modify a program, a crack may employ methods like code injection, memory manipulation, and hooking, all of which are also used by malicious software to hijack processes or alter system behavior. Additionally, cracks are frequently packed or obfuscated, hiding their code from static analysis, a tactic that malware uses to evade detection.

Even when a crack doesn't contain a hidden malicious payload, its actions are often deemed suspicious by security tools. For example, a crack's attempt to disable a software's license verification process can look identical to a piece of malware trying to disable a security product. This overlap in behavior is a key reason why security software is designed to treat cracks with extreme caution.

This is where the importance of static analysis becomes clear. While cracks often use packing and obfuscation to evade simple signature-based detection, advanced static analysis tools can still find suspicious patterns. These tools are designed to identify the tell-tale signs of techniques like code injection and memory manipulation, which are necessary for the crack to function. By examining the file's structure, its imported functions, and the high-severity YARA rules it triggers, static analysis provides crucial clues about the file's intent, even when the code is deliberately hidden or disguised.
Click to expand...
Which tool do you recommend I learn for static analysis?
 
  • Wow
Reactions: Sorrento
harlan4096 said:
opentip.kaspersky.com

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com

I've reported it, waiting the verdict.

But in VT there are many generic detections, so probably a typical FP in VT because a crack.
Click to expand...
Hello,

No malicious software was found in the attached file.

Best regards, Malware Analyst
Click to expand...
 
  • Like
  • Hundred Points
  • HaHa
Reactions: Berny, anirbandutta01, silversurfer and 2 others
Studynxx said:
They really need to start servicing paying customers, honestly. They can just run my email address and see I've been paying for 3 years.
Click to expand...
Hello, I'm using K. since 2016 and in my country India, their service is excellent. I'm satisfied with K.
 
Studynxx said:
Why is it that they respond to you but not to me?
Click to expand...
Not sure why Kaspersky did not respond to you, but they should as you are a paying customer in the Home-Consumer division.

In the SMB-Enterprise, accounts are prioritized and tied up to SLA that the AV vendor must meet for initial correspondence with solution.
 
  • Like
Reactions: Studynxx
stonjean633 said:
Not sure why Kaspersky did not respond to you, but they should as you are a paying customer in the Home-Consumer division.

In the SMB-Enterprise, accounts are prioritized and tied up to SLA that the AV vendor must meet for initial correspondence with solution.
Click to expand...
Correct, I've done service desk in the past, SLAs are to be upheld rigorously
 
  • Like
Reactions: stonjean633
Status
Not open for further replies.

You may also like...