Question Uninstalr Checked

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
Mops21 said:
Hi @jv16

I have scan your homepage with virustotal and get this from virustotal

uninstalr.com

Uninstalr

Uninstall software in Windows with Uninstalr.
uninstalr.com uninstalr.com
uninstalr.com

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Uninstalr_Setup

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Mops21
Click to expand...

That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app:

bitdefender.png


Screenshot from 2023-07-28 18-31-25.png
 
  • Like
  • Wow
Reactions: [correlate], vtqhtr413, ForgottenSeer 100397 and 6 others
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗
 
  • Like
  • Wow
  • Applause
Reactions: [correlate], vtqhtr413, oldschool and 9 others
Kongo said:
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗
Click to expand...
It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?
 
  • Like
Reactions: [correlate], vtqhtr413, ForgottenSeer 100397 and 8 others
jv16 said:
That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app
Click to expand...
Specific with Bitdefender on VT, that seems clear/gone now.

Kongo said:
❗This is no insinuation or anything but I just thought I should share this. ❗
Click to expand...
Nothing wrong with share those tests and results, and extra when it's a brand new software. Pretty common practice on this forum. (y)

One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in? :unsure:
 
  • Like
  • +Reputation
Reactions: [correlate], vtqhtr413, cryogent and 14 others
likeastar20 said:
It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?
Click to expand...
That's what I thought too, but the result of UnPacMe was a little concerning as it's ranked as Agen Tesla. I uploaded the detected hash to VT:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

upnorth said:
One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in? :unsure:
Click to expand...
I knew that AnyRun's rating is not that accurate but I thought I should share as many references as possible. And yeah, you need to be logged in to your Sophos account in order to view it. :confused:
 
  • Like
  • Thanks
  • Wow
Reactions: [correlate], vtqhtr413, ForgottenSeer 100397 and 8 others
Kongo said:
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗
Click to expand...


These are probably relating to the fact that Uninstalr is basically a tool that can remove any app from your system, and to do that, it does some fairly deep level analysis of your system and then uses many different methods and even some trickery to be able to remove data (that you ask it to remove!).

All this probably looks a lot like what malware could be doing.

Naturally, there is nothing malicious within the software, and after these antivirus companies have a better look at it, they will clear it as well.

Most of the false positives of the release day have already been cleared.
 
  • Like
  • +Reputation
Reactions: [correlate], vtqhtr413, mlnevese and 9 others
likeastar20 said:
Yes, detected by Kaspersky as a stealer because it accesses user credentials. Can you take a look at @struppigel ?
Click to expand...

I do not see anything suspicious (I did not do a full analysis, but I also do not see a reason to). Please note that overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.
While most programs do not need to access lots of different registry and file pathes for browsers and other programs containing personal data, this is certainly the case for uninstallers and nothing to worry about.

The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: brambedkar59, [correlate], vtqhtr413 and 12 others
struppigel said:
The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.
Click to expand...

Would you happen to know why this might be happening? The setup file is signed with Microsoft's SignTool.exe, using my company's code signing certificate and the process is exactly the same as to how I sign the portable version.

To me, it seems like a problem with VirusTotal. Similarly how VirusTotal flags the Portable file as "corrupt" when the file is a perfectly valid Windows executable and not corrupted.
 
  • Like
Reactions: [correlate], brambedkar59, vtqhtr413 and 12 others
struppigel said:
overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.
Click to expand...
Couldn't agree more as for example one of the automated services that's seen/added in the community tab on VT in this case, is even mention Kasperskys service as reference for it's " Malicious " verdict. The sad/funny part is that Kaspersky flag it as green/clean. Automated services or sandbox platforms is a good initial tool, but as I mentioned it requires more investigation to get a better more conclusive assessment.

Hopefully as a small help. Active and alive real AgentTesla samples acts different and specific on how they connect out and send it's collected/stolen credential.
send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
Click to expand...

Agent Tesla (Malware Family)

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S)...
malpedia.caad.fkie.fraunhofer.de malpedia.caad.fkie.fraunhofer.de

Btw, here's Kasperskys analysts latest verdict:
8_47 AM.png
 
  • Like
  • +Reputation
  • Wow
Reactions: [correlate], brambedkar59, vtqhtr413 and 13 others
Kongo said:
After unpacking: https://www.unpac.me/results/d87d15d9-02f3-412e-9e69-598444836ee4
Click to expand...

This is the VirusTotal report of the unpacked Uninstalr_Portable.exe:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

The file is packed using upx396w with the upx -8 option. Interestingly, unpacking it with upx -d command does not produce the exactly same binary file as before packing! The above file is the original binary coming from the compiler, but packing with upx and then unpacking it (with the same version of upx), the produced file is different, producing a couple false positives: VirusTotal

Here is the original Portable version binary file that came from the compiler, before being upx packed, in case anyone is interested:

In other words, the current official Portable version (https://uninstalr.com/Uninstalr_Portable.exe) is made by calling upx -8 Uninstalr_Portable_noupx.exe using upx396w
 
  • Like
  • +Reputation
Reactions: [correlate], vtqhtr413, likeastar20 and 6 others
I just realized that I confused these files.
If you unpack a previously signed and UPX packed file, of course the certificate is not valid anymore.
The detection rates for the unpacked file will be higher just because of that.
But this file will not appear on any system, so who cares. It can be ignored.
 
  • Like
  • +Reputation
  • Applause
Reactions: [correlate], Dave Russo, vtqhtr413 and 10 others
Status
Not open for further replies.

You may also like...