False positive detection (obfuscated file)

[Joth]

I have a .exe file (the file is an auto-clicker) that I am 99% sure is safe, however, it is obfuscated and I would like to decompile it for that extra 1% of confidence knowing that it's definitely nothing malicious. The file is an auto clicker and as mentioned is obfuscated to protect its code and prevent others from stealing it & repurposing it for malicious purposes. 

The file also uses a HWID login, so only registered users can use the auto clicker - I paid an access fee to become registered. The virustotal scan doesn't look promising, but again, coming from virustotal alone doesn't mean a whole lot and in addition it's also analysing an obfuscated file which is bound to make false positive detections.

I also want to point out that malwarebytes doesn't actually detect the file as anything suspicious, neither does hitmanpro or kaspersky. In fact, none of my subscription programs detected it as potentially harmful until I ran a scheduled ESET security scan last night which instantly detected the file - also want to mention that I ran daily scheduled scans on ESET, none of which detected it as anything potentially harmful up until the one last night.

Virustotal scan results: https://www.virustotal.com/gui/file/09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35?nocache=1

Thank you very much for your help everyone!

[Flood and Flood's wife]

Hello @Joth, 

Welcome!

Your comments are a little confusing: (1) "False positive detection (obfuscated file)", (2) "I also want to point out that Kaspersky doesn't actually detect the file as anything suspicious..."; unless you mean in the VT report?

1. IF there is a Kaspersky detection, post the Kaspersky Report & make sure we can see as much detail as possible please? 
2. Scan the exe with https://opentip.kaspersky.com/ & use the Submit to reanalyze feature. 
3. IF you have a Kaspersky subscription/License, contact Kaspersky Support, either via Chat or Email, fill in Malware, False positive template, zip the exe, protect it with password INFECTED & make sure you share the password with Support; Support may request logs, traces & other data, they will guide you. 

4. Please share the outcome with the Community, when it's available?

• ?Question, are you running multiple realtime AV suites? 

Thank you?

Flood?+?

Edited July 14, 2022 by Flood and Flood's wife
Added a question

[Berny]

@Joth Welcome.

Your topic has been moved to the Virus Section, do you use a Kaspersky product ?

[Joth]

3 hours ago, Berny said:

@Joth Welcome.

Your topic has been moved to the Virus Section, do you use a Kaspersky product ?

Apologies for posting in the wrong section! 

Yes I use Kaspersky premium, please let me mention again that KASPERSKY does NOT detect it as anything suspicious, however, I also have a subscription with ESET security which DOES detect it as potentially harmful, now, while I believe this is a false positive detection, I can't know for sure because I don't have the resources (or knowledge) to decompile the obfuscated file. 

[Joth]

5 hours ago, Flood and Flood's wife said:

Hello @Joth, 

Welcome!

Your comments are a little confusing: (1) "False positive detection (obfuscated file)", (2) "I also want to point out that Kaspersky doesn't actually detect the file as anything suspicious..."; unless you mean in the VT report?

1. IF there is a Kaspersky detection, post the Kaspersky Report & make sure we can see as much detail as possible please? 
2. Scan the exe with https://opentip.kaspersky.com/ & use the Submit to reanalyze feature. 
3. IF you have a Kaspersky subscription/License, contact Kaspersky Support, either via Chat or Email, fill in Malware, False positive template, zip the exe, protect it with password INFECTED & make sure you share the password with Support; Support may request logs, traces & other data, they will guide you. 

4. Please share the outcome with the Community, when it's available?

• ?Question, are you running multiple realtime AV suites? 

Thank you?

Flood?+?

Hi Flood,

Thanks so much for your reply!

As stated in my original post, KASPERSKY does NOT detect it, however, I also have a subscription with ESET Security which DOES detect it as "potentially harmful". While I do believe it's a false positive, I did want to make sure 100% that the file is safe as both A/V programs are contradicting each other right now. 

 

[Berny]

@Joth No excuses of course, you are welcome.

No detections from Kaspersky means that your system is clean. 
Only Kaspersky Virus Lab can confirm or deny a FP.

Also, running another security suite alongside Kaspersky is creating conflicts and is not recommended.

[Flood and Flood's wife]

19 minutes ago, Joth said:

As stated in my original post, KASPERSKY does NOT detect it, however, I also have a subscription with ESET Security which DOES detect it as "potentially harmful". While I do believe it's a false positive, I did want to make sure 100% that the file is safe as both A/V programs are contradicting each other right now. 

Hello @Joth

You're most welcome!

Thank you for posting back & the clarification. 

Perhaps it'd be best to submit the file to the ESET expert team, they must have a similar process to the Kaspersky process, as suggested in our original reply. 

Flood?+?

Edited July 14, 2022 by Flood and Flood's wife

[harlan4096]

@Joth: Did You send to K. analysts via KOTIP service the file, to assure is a false negative/positive?

[Joth]

10 minutes ago, harlan4096 said:

@Joth: Did You send to K. analysts via KOTIP service the file, to assure is a false negative/positive?

Yes! Such a handy tool!!

It didn't show as containing anything suspicious, but knowing it's an obfuscated file I'm not 100% sure how accurate this is.

[Joth]

15 minutes ago, harlan4096 said:

@Joth: Did You send to K. analysts via KOTIP service the file, to assure is a false negative/positive?

Actually, just going over the report again, I did see this (No idea what it means)

Marked under suspicious activities (severity 660) Sandbox.SuspiciousEvents.Template.sleep_evasion

[harlan4096]

But to send to K. Analyst You have to click over:

 

And type Your email address to get the final verdict.

[Joth]

Have done exactly this, thank you. I assume the lab will be able to work around the file being obfuscated? No idea how it works, but do you have any clue regarding the ETA, the process has been ongoing for over a week and I actually do need the file for something, just found out about the forums today!

[harlan4096]

Usually in my case They reply in a few hours as maximum.

[Joth]

13 hours ago, harlan4096 said:

Usually in my case They reply in a few hours as maximum.

Hello Harlan, 

So it's been around 14 hours since I submitted the file for analysis, haven't heard back and apparently I have run out of tries to submit it again.

[Flood and Flood's wife]

Hi @Joth, 

The Virus Lab may take hours to days to perform analysis, there is no set time. 

1. Have you followed the instructions we provided 21 hours ago & sent the actual zipped/password protected file? 
2. Have you received a response with an incident reference #? 

Thank you?

Flood?+?

Edited July 15, 2022 by Flood and Flood's wife

[Joth]

8 minutes ago, Flood and Flood's wife said:

Hi @Joth, 

The Virus Lab may take hours to days to perform analysis, there is no set time. 

1. Have you followed the instructions we provided 21 hours ago & sent the actual zipped/password protected file? 
2. Have you received a response with an incident reference #? 

Thank you?

Flood?+?

1. Yes!

2. No ?

[Joth]

9 minutes ago, Flood and Flood's wife said:

Hi @Joth, 

The Virus Lab may take hours to days to perform analysis, there is no set time. 

1. Have you followed the instructions we provided 21 hours ago & sent the actual zipped/password protected file? 
2. Have you received a response with an incident reference #? 

Thank you?

Flood?+?

Also, the file is not password protected, it's an EXE file and anyone can run it, however, if you don't have a HWID it will just close again and not do anything. You need to have a HWID (by paying for the program) for it to actually start up and run.

 

[Flood and Flood's wife]

@Joth

Did you follow these instructions: 

Contact Kaspersky Support, either via Chat or Email, fill in Malware, False positive template, zip the exe, protect it with password INFECTED & make sure you share the password with Support; Support may request logs, traces & other data, they will guide you. 

?You zip the file, name the zip archive INFECTED, protect it with a password ( INFECTED ), send it to Kaspersky Support or give it to the Chat agent & tell them the password ?

Thank you?

Flood?+?

Edited July 15, 2022 by Flood and Flood's wife

[harlan4096]

@Joth: can You upload the file to a free file server, and sent me the link to download, via personal message of the community, thanks!