Malware Analysis PC Optimization Malware?

S

Silverwing

New Member
Thread author
Jul 26, 2023
6
Found this PC optimizer called “hone.gg”. It appears to be legitimate, their discord has 20000 members, signed by overwolf, and has sponsorships with YouTubers.

I downloaded this from home.gg (I don’t have direct links, search up hone.gg, you’ll find it) to try and see if it helps. However:

Kaspersky flagged it as malware and so did hybrid analysis. More specifically, it flagged a file it dropped called “installer”.

Could you all take a look for me?


Found this interesting too:


Kaspersky has a signature detection? Bitdefender flags too?
 
Last edited:
  • Like
  • Thanks
Reactions: Dave Russo, Jack and likeastar20
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello there.

I did not analyse the file itself, but just based on the reports I do not see any reason to suspect malware in the first place.

Firstly VirusTotal shows 1 scanner detecting this as malicious and it is by a scanner that is not exactly known to be accurate. Nothing suspicious to see in the other VT tabs.

Secondly the Hybrid-Analysis report: The overall verdict of such automatic analysis systems should be ignored. They are so often wrong. These systems do not know anything about context nor are they really vetted against False Positives. They tend to be way too aggressive and flag behavior as malicious that is completely normal.

Let's take a look at the "malicious" indicators.

1709267902274.png

This is an installer for Hone. It needs to kill the Hone.exe process to make sure that hone is not running and therefore blocking proper (re-)installation.
So this is expected behavior.

1709268050102.png


All of these are a normal part of installation. Since this is a software that tweaks performance, it will need a driver. So it drops and install a device driver and adds persistence.

1709268296126.png

It fetches another setup file from a clean host. Maybe to get the latest setup / updates. Also normal for an installer.

1709268412545.png


This is not so great because it decreases security on the system by enabling powershell scripts in general and I am not sure if the user is made aware of that during installation. While this is not great, this can hardly be called malicious.

To sum it up: I do not see a reason for concern.
 
  • +Reputation
  • Like
  • Thanks
Reactions: Digmor Crusher, Freki123, Nevi and 10 others
S

Silverwing

New Member
Thread author
Jul 26, 2023
6
struppigel said:
Hello there.

I did not analyse the file itself, but just based on the reports I do not see any reason to suspect malware in the first place.

Firstly VirusTotal shows 1 scanner detecting this as malicious and it is by a scanner that is not exactly known to be accurate. Nothing suspicious to see in the other VT tabs.

Secondly the Hybrid-Analysis report: The overall verdict of such automatic analysis systems should be ignored. They are so often wrong. These systems do not know anything about context nor are they really vetted against False Positives. They tend to be way too aggressive and flag behavior as malicious that is completely normal.

Let's take a look at the "malicious" indicators.

View attachment 281859
This is an installer for Hone. It needs to kill the Hone.exe process to make sure that hone is not running and therefore blocking proper (re-)installation.
So this is expected behavior.

View attachment 281860

All of these are a normal part of installation. Since this is a software that tweaks performance, it will need a driver. So it drops and install a device driver and adds persistence.

View attachment 281861
It fetches another setup file from a clean host. Maybe to get the latest setup / updates. Also normal for an installer.

View attachment 281862

This is not so great because it decreases security on the system by enabling powershell scripts in general and I am not sure if the user is made aware of that during installation. While this is not great, this can hardly be called malicious.

To sum it up: I do not see a reason for concern.
Click to expand...
That makes sense. I’m pretty sure hone changes windows policies, graphics card settings, etc to boost performance as much as possible. I probably won’t use it but thanks for checking it out.
 
  • Like
Reactions: roger_m, Nevi and simmerskool

Similar threads

struppigel
    • Like
    • +Reputation
    • Applause
App Review Using Hybrid Analysis for Initial Malware Assessment
Replies
3
Views
1,361
Video Reviews - Security and Privacy
upnorth
upnorth
Gandalf_The_Grey
    • Like
    • +Reputation
    • Applause
Technology Google: Can't run Windows 11 on your PC? Make it a Chromebook
Replies
3
Views
503
Technology News
Gandalf_The_Grey
Gandalf_The_Grey
L
  • Locked
Unable to remove malware extension in chrome
Replies
2
Views
1,182
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top