Jump to content

Recommended Posts

Posted (edited)

Please, I need help. I was trying to update a cracked game, but the update program looked suspicious.

I ran it through https://www.virustotal.com/gui/home/upload and it didn't find anything. So I thought it was just a poorly done updater.

Instead, it was like one of those annoying installers that make you install more programs before the installation proper starts. And afterwards, it downloaded and installed something. I'm currently running an ESET scan but I have no clue.

The virus or whatever it is, can be found here. Don't run it if you don't know what you are doing, like me!

"https://mega.nz/file/Np4XRTAA#Ns4MFEaQ-mpGx0QcYxTARuba8x7JiKeGo-PQuSCWedA"

Edited by Berny
Link disabled !
Posted

Done, I submited it for re-analysis with a description of its behaviour.

At first sight, there is no detection. But it does something.

Posted (edited)

The software (author is "10sIT Oy") looks like an installer:

Pic1.jpg

 

Including several of these trick choices:

Pic2.jpg

 

It either installs, or downloads something:

Pic3.jpg

 

Pic4.jpg

I'm not sure whether this file is the only one that gets downloaded, but I have uploaded it in another folder of the same Mega account: 
"https://mega.nz/folder/4pp0RaTa#bnP3L6aucOoF-Whapllr6g"

But there's more: this Setup.exe file isn't detected as a virus either, but when I went to upload it (as to say I was in Kaspersky's Analyze page, and clicked on Browse) my Brave browser strangely opened this folder:

C:\Users\User\AppData\Local\Microsoft\Windows\INetCache\IE\V09IP0KU

Which contained what seems to be installers for an old beta of 7zip. I checked my 7zip installation in program files, and it had been indeed created a few minutes ago. I have also uploaded more files that were around that location in Appdata, and might be part of this.

Edited by Berny
Link disabled !
Posted

That annoying part of the installer may be PUP, but there is no trace of the game anywhere. This was supposed to contain an update to a game: it doesn't, there none of it. You don't get asked for its location, the game's folder doesn't get modified nor other directories are created. What it does, is something suspicious with those 7zip exe that keep popping up in my temporary folder.

  • 3 weeks later...
Wesly.Zhang
Posted

Hello, @Dumbo2022

If you want to know the installation traces information. I recommend you a system tool, named "process monitor" . It can traces all process behavior. I think this will ask your question.

Regards.

Posted
19 hours ago, Wesly.Zhang said:

Hello, @Dumbo2022

If you want to know the installation traces information. I recommend you a system tool, named "process monitor" . It can traces all process behavior. I think this will ask your question.

Regards.

I use Autoruns has the column VirusTotal (Query items to VirusTotal).

 

  • 1 month later...
Posted

Hi, were you able to solve or understand more of the problem? The exact same thing happened to me, but, looking through installed software or active processes and performing several scans, I could not find anything. I tried to install it on purpose on an empty virtual machine, but, even there, I couldn't find anything. I only find an exe file in the Downloads folder, which is actually a link to the following address: https://www.7-zip.org/a/7z1900-x64.exe. I don't know what else to do.

Posted
On 8/31/2022 at 8:54 PM, France99 said:

Hi, were you able to solve or understand more of the problem? The exact same thing happened to me, but, looking through installed software or active processes and performing several scans, I could not find anything. I tried to install it on purpose on an empty virtual machine, but, even there, I couldn't find anything. I only find an exe file in the Downloads folder, which is actually a link to the following address: https://www.7-zip.org/a/7z1900-x64.exe. I don't know what else to do.

Hello, @France99

what's the problem in details?

Quote

I tried to install it on purpose on an empty virtual machine, but, even there,

what is it?

Regards.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...