Question Uninstalr Checked

[Mops21]

Hi @jv16

I have scan your homepage with virustotal and get this from virustotal

Uninstalr

Accurate, lightweight and free Windows app uninstaller.

uninstalr.com

uninstalr.com

VirusTotal

VirusTotal

www.virustotal.com

Uninstalr_Setup

VirusTotal

VirusTotal

www.virustotal.com

Mops21

 

[jv16]

Hi @jv16

I have scan your homepage with virustotal and get this from virustotal

Uninstalr

Accurate, lightweight and free Windows app uninstaller.

uninstalr.com

uninstalr.com

VirusTotal

VirusTotal

www.virustotal.com

Uninstalr_Setup

VirusTotal

VirusTotal

www.virustotal.com

Mops21

That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app:

 

[Kongo]

Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


This is no insinuation or anything but I just thought I should share this.

 

[likeastar20]

Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


This is no insinuation or anything but I just thought I should share this.

It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?

 

[upnorth]

That's unfortunate. I don't know what's wrong with Bitdefender but I hope they will fix it soon. This is what they said about it before our release. We tested it with the Bitdefender Windows client AND using VirusTotal before releasing the app

Specific with Bitdefender on VT, that seems clear/gone now.

This is no insinuation or anything but I just thought I should share this.

Nothing wrong with share those tests and results, and extra when it's a brand new software. Pretty common practice on this forum.

One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in?

 

[Kongo]

It is flagged as malware/suspicious because it accesses the browser credentials, but I assume its normal for this type of software?

That's what I thought too, but the result of UnPacMe was a little concerning as it's ranked as Agen Tesla. I uploaded the detected hash to VT:

VirusTotal

VirusTotal

www.virustotal.com

One small important note I would highlight about is, for example AnyRun is a good service, but it's " Malicious " verdicts is many times far from 100% bullet proof. It requires deeper investigation. I would also recommend run tests there longer then the default 60 seconds. The Sophos url I get no result from. Guess I need to be logged in?

I knew that AnyRun's rating is not that accurate but I thought I should share as many references as possible. And yeah, you need to be logged in to your Sophos account in order to view it.

 

[likeastar20]

That's what I thought too, but the result of UnPacMe was a little concerning as it's ranked as Agen Tesla. I uploaded the detected hash to VT:

VirusTotal

VirusTotal

www.virustotal.com

Yes, detected by Kaspersky as a stealer because it accesses user credentials. Can you take a look at @struppigel ?

 

[jv16]

Rated as malicious by Any.Run: Analysis Uninstalr_Portable.exe (MD5: A35881A67EC38F9BB4E33A8DBE013061) Malicious activity - Interactive analysis ANY.RUN

Rated as malicious by Sophos Dynamic Analysis: Intelix UI

7/10 malicious rating by Triage: Triage | Behavioral Report

10/10 malicious rating by Yomi: YOMI

Rated as malicious by UnPacMe: https://www.unpac.me/results/16ae8cdc-531b-4786-931f-88bd9b74820b

And also rated as malicious by Threat.Zone: Threat.Zone - Hypervisor Based Automated/Interactive Malware Analysis Platform

@jv16


This is no insinuation or anything but I just thought I should share this.

These are probably relating to the fact that Uninstalr is basically a tool that can remove any app from your system, and to do that, it does some fairly deep level analysis of your system and then uses many different methods and even some trickery to be able to remove data (that you ask it to remove!).

All this probably looks a lot like what malware could be doing.

Naturally, there is nothing malicious within the software, and after these antivirus companies have a better look at it, they will clear it as well.

Most of the false positives of the release day have already been cleared.

 

[Kongo]

Most of the false positives of the release day have already been cleared.

No, not really

VirusTotal

VirusTotal

www.virustotal.com

 

[jv16]

No, not really

VirusTotal

VirusTotal

www.virustotal.com

I have no idea what is this file that you are referring to.

This is the analysis of Uninstalr's Portable version:

VirusTotal

VirusTotal

www.virustotal.com

And the Setup version:

VirusTotal

VirusTotal

www.virustotal.com

 

[likeastar20]

 

[struppigel]

Yes, detected by Kaspersky as a stealer because it accesses user credentials. Can you take a look at @struppigel ?

I do not see anything suspicious (I did not do a full analysis, but I also do not see a reason to). Please note that overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.
While most programs do not need to access lots of different registry and file pathes for browsers and other programs containing personal data, this is certainly the case for uninstallers and nothing to worry about.

The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.

 

[jv16]

The Setup version seems to have some issue with the certificate. It shows up as not signed on Virustotal, although it is signed. That means strict signature verification is failing for some reason and might also cause suspicion for the antivirus products.

Would you happen to know why this might be happening? The setup file is signed with Microsoft's SignTool.exe, using my company's code signing certificate and the process is exactly the same as to how I sign the portable version.

To me, it seems like a problem with VirusTotal. Similarly how VirusTotal flags the Portable file as "corrupt" when the file is a perfectly valid Windows executable and not corrupted.

 

[upnorth]

overall verdicts of automated systems are pretty much useless. They do not know the context/purpose of any program and are frequently mistaken.

Couldn't agree more as for example one of the automated services that's seen/added in the community tab on VT in this case, is even mention Kasperskys service as reference for it's " Malicious " verdict. The sad/funny part is that Kaspersky flag it as green/clean. Automated services or sandbox platforms is a good initial tool, but as I mentioned it requires more investigation to get a better more conclusive assessment.

Hopefully as a small help. Active and alive real AgentTesla samples acts different and specific on how they connect out and send it's collected/stolen credential.

send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

Agent Tesla (Malware Family)

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S)...

malpedia.caad.fkie.fraunhofer.de

Btw, here's Kasperskys analysts latest verdict:

 

[jv16]

No, not really

VirusTotal

VirusTotal

www.virustotal.com

Can you tell us what is this file you imply to be relating to Uninstalr? As far as I can tell, it has nothing to do with Uninstalr.

 

[Kongo]

Can you tell us what is this file you imply to be relating to Uninstalr? As far as I can tell, it has nothing to do with Uninstalr.

After unpacking: https://www.unpac.me/results/d87d15d9-02f3-412e-9e69-598444836ee4

 

[jv16]

After unpacking: https://www.unpac.me/results/d87d15d9-02f3-412e-9e69-598444836ee4

This is the VirusTotal report of the unpacked Uninstalr_Portable.exe:

VirusTotal

VirusTotal

www.virustotal.com

The file is packed using upx396w with the upx -8 option. Interestingly, unpacking it with upx -d command does not produce the exactly same binary file as before packing! The above file is the original binary coming from the compiler, but packing with upx and then unpacking it (with the same version of upx), the produced file is different, producing a couple false positives: VirusTotal

Here is the original Portable version binary file that came from the compiler, before being upx packed, in case anyone is interested:

https://uninstalr.com/Uninstalr_Portable_noupx.exe

In other words, the current official Portable version (https://uninstalr.com/Uninstalr_Portable.exe) is made by calling upx -8 Uninstalr_Portable_noupx.exe using upx396w

 

[struppigel]

I just realized that I confused these files.
If you unpack a previously signed and UPX packed file, of course the certificate is not valid anymore.
The detection rates for the unpacked file will be higher just because of that.
But this file will not appear on any system, so who cares. It can be ignored.