Closed IcemanND closed 3 years ago
It's a false positive. It seems to be related to the functions for invoking the hash algorithm from memory. Get-DelegateType and Get-ProcAddress.
I think the only way to remove the false positive is converting the hash algorithm to raw PowerShell code.
When downloading the ZIP, or manually creating the SFTA.PS1 from the site, Windows defender scans it and detects it as a trojan, specifically Wacatac.B!ml https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fWacatac.B!ml&threatid=2147735505