Avast WEBforum

Other => Viruses and worms => Topic started by: Mrmike110 on November 19, 2022, 07:20:45 AM

Title: False Positive Question
Post by: Mrmike110 on November 19, 2022, 07:20:45 AM

I am currently working with a developer whom I have never met. I have hired him through online channels to code a program for me. Can you look at my VT and tell me if this is a false positive because we are working with an executable file?

https://www.virustotal.com/gui/file/8ec6f045a8977b9eb5db2582b0ea746f2d9d7f20baa7029c7f58a0d22d3b0413/detection

The program creates a database in my appdata folder. So I don't know if AVAST is thinking that it is attacking my computer.

Title: Re: False Positive Question
Post by: polonus on November 19, 2022, 02:18:54 PM

If you have met with an FP, it could be one vendor to flag it, but certainly not fourteen.
Now 17 to detect it, malcode as an adware trojan.

Is someone trying to check it could go under the detection radar?

Moreover that file is not signed. Is this executable the real McCoy.
Were you duped through fraud to check it or is this a deliberate action?

Consider also: 2 matches for rule Creation of an Executable by an Executable by frack113 from Sigma Integrated Rule Set (GitHub)  Detects the creation of an executable by another executable


polonus

Title: Re: False Positive Question
Post by: polonus on November 21, 2022, 12:39:36 PM

Latest update for this.

Now being detected by 18 vendors: https://www.virustotal.com/gui/file/8ec6f045a8977b9eb5db2582b0ea746f2d9d7f20baa7029c7f58a0d22d3b0413/detection

Read: https://en.wikipedia.org/wiki/Ramsay_Malware

https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

(source credits go to Pondus for pointing this out)

polonus