Do you think it is related to any of the linked articles by @SkeletalDemise? I'm interested in what family this malware belongs to, and do you think this malware is difficult to analyze? Because 3 vendors have said the file is clean previously. Initially, BD said it is clean, but now they deemed it malicious.Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. @SkeletalDemise is very spot on with observations and analysis.
Entry point of clean NvStTest:
View attachment 278370
Entry point of manipulated NvStTest (cannot be decompiled):
View attachment 278371
BinDiff of both files
View attachment 278368
Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed.
View attachment 278369
If this was a legitimate software update, you would expect something different:
- not only entry point code changes
- certificate would be there
- code would be readable
- many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash)
This blacksoul rule detects msvcp140.dll. I would not take it seriously.