Reycko
commented
2 years ago note: if you don't belive it's a virus ip, look at the number of viruses linking to it https://www.virustotal.com/gui/ip-address/13.107.4.52/relations
Closed Reycko closed 2 years ago
Reycko
commented
2 years ago note: if you don't belive it's a virus ip, look at the number of viruses linking to it https://www.virustotal.com/gui/ip-address/13.107.4.52/relations
nesbox
commented
2 years ago Sorry, I don't understand, whose address is 13.107.4.52?
nesbox
commented
2 years ago And how does TIK-80 relate to the address?
Reycko
commented
2 years ago And how does TIK-80 relate to the address?
So, by going at the pic-80 EXE's virustotal relations tab, we can see the IP addresses the app contacts. Here, we can see the following IPs: 13.107.4.52 20.99.132.105 20.99.184.37 23.40.197.184 The only one that matters is the 13.107.4.52 one, which is the malicious one
nesbox
commented
2 years ago Hmm, weird, tic80.exe only goes to tic80.com to get carts, nothing else. Where did these IP addresses come from, I do not understand, sorry :(
Anrock
commented
2 years ago The IP is owned by Microsoft. Linked domain is v4ncsi.msedge.net, NCSI is NCSI (Network Connectivity Status Indicator), an internet connection awareness protocol used in Microsoft's Windows operating systems.
So yeah, viruses are using this service to determine if PC has access to internet along with lots of non-malware software.
This a false positive.
nesbox
commented
2 years ago Thank you @Anrock for the explanation, looks like a false positive. Closing…
read title. proof: https://www.virustotal.com/gui/file/8ff06a5c7b4f8977059165556e56b80e93663d5b766e27b65c124d84ef886664/relations ip virustotal link: https://www.virustotal.com/gui/ip-address/13.107.4.52