Closed richardsjogren closed 3 months ago
+1
+1
I've had a few user experiencing this. Here are the details of the detection.
DETECT TIME Dec. 17, 2023 12:48:24 HOSTNAME computername HOST TYPE Workstation USER NAME place\user ACTIONS TAKEN Process blocked File quarantined SEVERITY Low OBJECTIVE Falcon Detection Method TACTIC & TECHNIQUE Malware via PUP TECHNIQUE ID CST0013 SPECIFIC TO THIS DETECTION This file is classified as Adware/PUP based on its SHA256 hash. TRIGGERING INDICATOR Associated IOC (SHA256 on library/DLL loaded) ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None
Associated File \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe GROUPING TAGS None LOCAL PROCESS ID 26000 COMMAND LINE "C:\Program Files\ScreenToGif\ScreenToGif.exe" FILE PATH \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe EXECUTABLE SHA256 ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None
EXECUTABLE MD5 ce227688fe0d35e6b5381666dc1cd7db RUN PERIOD START TIME Dec. 17, 2023 12:47:14 END TIME Dec. 17, 2023 12:47:15 DURATION Terminated
Just had a trigger with the new version
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Unique
IOC MANAGEMENT ACTION
None
Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe
VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection
HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe
I sent a message to the company, let's see if they give me a reply.
Same thing here. Antivirus McAfee.
I sent a message to the company, let's see if they give me a reply.
We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.
Tip: When you install through the Microsoft Store it actually works just fine... ๐ No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif ๐.
Well just as long as your company does not block MS store, too ๐.
@NickeManarin - I hope we are able to resolve this. I am impacted too.
I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?
Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.
I got this details from some other company, they got these results:
YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)
and
"ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)
YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. ๐
mid December that triggered the alerts?
I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.
This should no longer be a problem, as the company removed the false-positive.
@NickeManarin Nope its still flagging for me here as of May 5
Hash
aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c
Crowdstrike antivirus flags ScreenToGif as virus (Sorry, not sure if itยดs ok to report this as a "bug")
Steps to reproduce the behavior:
https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad