Question Uninstalr Checked

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

jv16

From Macecraft Software
Verified
Developer
Jan 2, 2023
91
Hi @jv16

I have scan your homepage with virustotal and get this from virustotal

uninstalr.com


Uninstalr_Setup


Mops21

That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app:

bitdefender.png


Screenshot from 2023-07-28 18-31-25.png
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,531
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗
 

likeastar20

Level 8
Verified
Mar 24, 2016
374
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗
It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app
Specific with Bitdefender on VT, that seems clear/gone now.

❗This is no insinuation or anything but I just thought I should share this. ❗
Nothing wrong with share those tests and results, and extra when it's a brand new software. Pretty common practice on this forum. (y)

One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in? :unsure:
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,531
It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?
That's what I thought too, but the result of UnPacMe was a little concerning as it's ranked as Agen Tesla. I uploaded the detected hash to VT:


One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in? :unsure:
I knew that AnyRun's rating is not that accurate but I thought I should share as many references as possible. And yeah, you need to be logged in to your Sophos account in order to view it. :confused:
 

jv16

From Macecraft Software
Verified
Developer
Jan 2, 2023
91
Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


❗This is no insinuation or anything but I just thought I should share this. ❗


These are probably relating to the fact that Uninstalr is basically a tool that can remove any app from your system, and to do that, it does some fairly deep level analysis of your system and then uses many different methods and even some trickery to be able to remove data (that you ask it to remove!).

All this probably looks a lot like what malware could be doing.

Naturally, there is nothing malicious within the software, and after these antivirus companies have a better look at it, they will clear it as well.

Most of the false positives of the release day have already been cleared.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
Yes, detected by Kaspersky as a stealer because it accesses user credentials. Can you take a look at @struppigel ?

I do not see anything suspicious (I did not do a full analysis, but I also do not see a reason to). Please note that overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.
While most programs do not need to access lots of different registry and file pathes for browsers and other programs containing personal data, this is certainly the case for uninstallers and nothing to worry about.

The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.
 
Last edited:

jv16

From Macecraft Software
Verified
Developer
Jan 2, 2023
91
The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.

Would you happen to know why this might be happening? The setup file is signed with Microsoft's SignTool.exe, using my company's code signing certificate and the process is exactly the same as to how I sign the portable version.

To me, it seems like a problem with VirusTotal. Similarly how VirusTotal flags the Portable file as "corrupt" when the file is a perfectly valid Windows executable and not corrupted.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.
Couldn't agree more as for example one of the automated services that's seen/added in the community tab on VT in this case, is even mention Kasperskys service as reference for it's " Malicious " verdict. The sad/funny part is that Kaspersky flag it as green/clean. Automated services or sandbox platforms is a good initial tool, but as I mentioned it requires more investigation to get a better more conclusive assessment.

Hopefully as a small help. Active and alive real AgentTesla samples acts different and specific on how they connect out and send it's collected/stolen credential.
send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

Btw, here's Kasperskys analysts latest verdict:
8_47 AM.png
 

jv16

From Macecraft Software
Verified
Developer
Jan 2, 2023
91

This is the VirusTotal report of the unpacked Uninstalr_Portable.exe:

The file is packed using upx396w with the upx -8 option. Interestingly, unpacking it with upx -d command does not produce the exactly same binary file as before packing! The above file is the original binary coming from the compiler, but packing with upx and then unpacking it (with the same version of upx), the produced file is different, producing a couple false positives: VirusTotal

Here is the original Portable version binary file that came from the compiler, before being upx packed, in case anyone is interested:

In other words, the current official Portable version (https://uninstalr.com/Uninstalr_Portable.exe) is made by calling upx -8 Uninstalr_Portable_noupx.exe using upx396w
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I just realized that I confused these files.
If you unpack a previously signed and UPX packed file, of course the certificate is not valid anymore.
The detection rates for the unpacked file will be higher just because of that.
But this file will not appear on any system, so who cares. It can be ignored.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top