X-Sec Malware Scanner detected Heur:Downloader.Generic, could it be legit or false positive?

TangentLiny · Oct 14, 2024

Hello,
I ran the X-Sec Malware Scanner and it came back with some detections.

"Heur: Downloader.Generic
C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\A6WCER12_57\3XBVSRP6_58\LK3FZULO0T_9"

"Heur: Downloader.Generic
C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\A6WCER12_57\IXEX75DA_59\4EWC8N89P5_19"

"Heur: Downloader.Generic
C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\A6WCER12_57\XP74PPOF_61\55Q1BGGQS6_19"

I decided to upload these files to VirusTotal but came back clean. Could it be a false positive?

VirusTotal

www.virustotal.com

TangentLiny · Oct 14, 2024

I ran this same exact scanner on my laptop and it found even more of similar/same infection and file location as the desktop scan.

"
Basic Info:
---------------------
Program Version: 3.2.1.0
Rising Virus Database Version: 25.00.44.26
X-Sec Heuristic Engine: Enabled
Rising Antivirus Engine: Enabled
Rising Cloud Engine: Enabled
Backup Before Resolve: Enabled
---------------------
Targets:
---------------------
C:\
---------------------
2024-10-14 06:12:10 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Service Worker\CacheStorage\a957449e0c17def967fb86220c8cab1d9f0a68fc\09de7730-b194-4346-b04f-0eb9c41fec52\527d29cc30a0094c_0 -- [xave-heur] Heur:Trojan.Generic
2024-10-14 06:13:08 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\FXKP9E0X_116\KD4YYXUDI3_16 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:14 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\I5IXFZAP_115\9EOQEBWJ3P_51 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:15 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\I5IXFZAP_115\A9VHQ5QAE3_43 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:25 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\J4C2I5VW_110\03X2PP8K0O_61 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:33 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\J4C2I5VW_110\HL4AVR77R0_15 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:38 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\J4C2I5VW_110\OFA4WHXAIV_74 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:13:41 Threat Detected: C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\78E78GAE_109\J4C2I5VW_110\SN0IS2RN9G_66 -- [xave-heur] Heur

ownloader.Generic
2024-10-14 06:37:59 Threat Detected: C:\Users\{name}\Downloads\HitmanPro_x64.exe -- [xave-heur] Heur:Ransom.Generic
"

TangentLiny · Oct 14, 2024

VirusTotal

www.virustotal.com

"Crowdsourced YARA rules

Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at GitHub - InQuest/yara-rules-vt: Collection of YARA rules designed for usage through VirusTotal.com. by InQuest Labs

This signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago

Matches rule Windows_API_Function from ruleset Windows_API_Function at GitHub - InQuest/yara-rules-vt: Collection of YARA rules designed for usage through VirusTotal.com. by InQuest Labs

This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted. - a moment ago"

nasdaq · Oct 14, 2024

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Quote.
"Heur: Downloader.Generic
C:\Users\{name}\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\A6WCER12_57\3XBVSRP6_58\LK3FZULO0T_9" Unquote

The files reported are located in the \AppData\Local\Packages\ folder.

Read about it.
Appdata/Local/Packages- safe to remove?

It is suggested that your download and run the windirstat tool to clean unimportant files to you.

If you need additional help please let me know.

Search

X-Sec Malware Scanner detected Heur:Downloader.Generic, could it be legit or false positive?

TangentLiny

New Member

VirusTotal

TangentLiny

New Member

TangentLiny

New Member

VirusTotal

nasdaq

Super Moderator

Similar threads