louiehelm
commented
5 months ago Thanks for the report but those tools are wrong -- as they usually are when they report 1 out of 73 sub-units finding something "suspicious". Real malware would trigger some of those tools more functional heuristics too and not just their weakest, most trigger-happy heuristics that essentially just mark everything it doesn't recognize as malware.
The only reason v1.23 doesn't fail as well is because I improved v1.24 to not require external .dll files. Since v1.23 was submitted to these tools without the necessary .dll, it errored out and shut down before those scanners could run their "deep checks" which are just random heuristics that equate any keyboard input as "keylogging", any file loading as "unsafe payloads", and any screen output as "rootkits".
It's basically freaking out that AZdecrypt is attempting to load an external file (the default n-grams) into memory immediately after it boots up.
At the end of the day, the weakest algorithms within these tools are just popularity checkers. Go look online. "AmongUs.exe" used to fail too... until it got popular enough that they manually changed their sites to whitelist it (without actually fixing the code that generates those false reports).
I can generate similar errors by randomly modifying 1 byte of "Notepad.exe". Meaning these tools are just lazily calculating hashes of .exe files they know of and marking everything else suspicious.
Also, for the record, the IP addresses you mention are not contacted by my software. Those IPs belong to Microsoft and Akami... and are being contacted by the test harness itself because it is running Windows with standard telemetry. Your computer is also contacting those same IPs dozens of times a day if you use Windows 10 or Windows 11.
Hope this helps. Good luck using AZdecrypt. I'm glad you like Dave's YouTube videos!
Hello,
I was scanning this application before I download it as I do with every application, and saw some things on virustotal and hybrid-analysis that might need addressing. They both flag the most recent (1.24) version as malware. I wasn't able to find the source code, so could you please address the flags brought up (or let us know what is causing them)?
Thank you! I'm very excited to start learning the software, I was brought here by the Zodiac cypher youtube video :) Your software has a good reputation so I'm sure these are nothing, but for people new to it, seeing a flag can be intimidating.
Virustotal flags it as malware, flags it for connecting to two suspicious IPs https://www.virustotal.com/gui/file/bb92f6d18a24452d72baf0005e0c913eef97b11376d8c1f90939a13e8b7d0161/behavior
hybrid-analysis shows that the software is making https connection with insecure TLS/SSL connection https://www.hybrid-analysis.com/sample/bb92f6d18a24452d72baf0005e0c913eef97b11376d8c1f90939a13e8b7d0161/65ee48d75898e9bf0a063cb1