alexsammers1
commented
3 months ago Based on the IP Check, it's a Github IP - https://2ip.io/whois/?ip=185.199.108.153 - so I think it's ok. Not sure why it would be flagged as malicious, though.
Closed fu3fi closed 3 months ago
alexsammers1
commented
3 months ago Based on the IP Check, it's a Github IP - https://2ip.io/whois/?ip=185.199.108.153 - so I think it's ok. Not sure why it would be flagged as malicious, though.
fu3fi
commented
3 months ago Ok, but I have seen more than once when malicious payloads, for example shellcode, are posted on Github. Could you tell me why he needs to contact Github?
alexsammers1
commented
3 months ago Hmm, that's interesting - I think we'd need to wait for @InvisibleManVPN to chime in here.
InvisibleManVPN
commented
3 months ago Hi @fu3fi and @alexsammers1! After launching the Invisible Man XRay client, two requests are invoked to the InvisibleMan-XRayClient GitHub repository to check for the update and get the broadcast message:
Check for updates: https://github.com/InvisibleManVPN/InvisibleMan-XRayClient/blob/a3ff0c8af7243d7245b709be96773cda3abf6514/InvisibleMan-XRay/Handlers/UpdateHandler.cs#L64-L67
Fetching the broadcast message: https://github.com/InvisibleManVPN/InvisibleMan-XRayClient/blob/a3ff0c8af7243d7245b709be96773cda3abf6514/InvisibleMan-XRay/Handlers/BroadcastHandler.cs#L24-L26
That's strange why these are flagged as a malicious request. I need to investigate it. So, if you have any suggestions please let me know.
fu3fi
commented
3 months ago Thank you for the clarification!
When the application is launched, a call is made to 185.199.108.153. Virustotal reports that it is malicious (https://www.virustotal.com/gui/ip-address/185.199.108.153/detection). What it is?
You can also notice that there are others, also malicious, for example 185.199.109.153