Author Topic: False Positive Question (Read 1402 times)

Mrmike110 · « **on:** November 19, 2022, 07:20:45 AM »

I am currently working with a developer whom I have never met. I have hired him through online channels to code a program for me. Can you look at my VT and tell me if this is a false positive because we are working with an executable file?

https://www.virustotal.com/gui/file/8ec6f045a8977b9eb5db2582b0ea746f2d9d7f20baa7029c7f58a0d22d3b0413/detection

The program creates a database in my appdata folder. So I don't know if AVAST is thinking that it is attacking my computer.

polonus · « **Reply #1 on:** November 19, 2022, 02:18:54 PM »

If you have met with an FP, it could be one vendor to flag it, but certainly not fourteen.
Now 17 to detect it, malcode as an adware trojan.

Is someone trying to check it could go under the detection radar?

Moreover that file is not signed. Is this executable the real McCoy.
Were you duped through fraud to check it or is this a deliberate action?

Consider also: 2 matches for rule Creation of an Executable by an Executable by frack113 from Sigma Integrated Rule Set (GitHub) Detects the creation of an executable by another executable

polonus

polonus · « **Reply #2 on:** November 21, 2022, 12:39:36 PM »

Latest update for this.

Now being detected by 18 vendors: https://www.virustotal.com/gui/file/8ec6f045a8977b9eb5db2582b0ea746f2d9d7f20baa7029c7f58a0d22d3b0413/detection

Read: https://en.wikipedia.org/wiki/Ramsay_Malware

https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

(source credits go to Pondus for pointing this out)

polonus

Author Topic: False Positive Question (Read 1402 times)

Mrmike110

False Positive Question

polonus

Re: False Positive Question

polonus

Re: False Positive Question