mrexodia
commented
2 months ago Most likely your computer is infected with malware?
Open idan-h opened 2 months ago
mrexodia
commented
2 months ago Most likely your computer is infected with malware?
idan-h
commented
2 months ago Most likely your computer is infected with malware?
The first check was not compiled by me, so I am not sure why would malware purposfully stick to a random exe on my pc.. But maybe you can try as well, so we could see a comparison
mrexodia
commented
2 months ago I uploaded the one I compiled in 2020 (and signed today): https://www.virustotal.com/gui/file/b82efad6ad8769cde966b01c4356b29a54651b02f5c8e79e551a32877e964c1e
idan-h
commented
2 months ago I uploaded the one I compiled in 2020 (and signed today): https://www.virustotal.com/gui/file/b82efad6ad8769cde966b01c4356b29a54651b02f5c8e79e551a32877e964c1e
It still thinks it is infected and still shows calls, but more focused on verifying the certificate.
I think it would be better to check it unsigned to reduce the noise.
They might be calls related to .net? But for some reason they from multiple servers with different cloud providers, like google and some others, which does not make sense, as would expect only microsoft..
mrexodia
commented
2 months ago Here is the unsigned one: https://www.virustotal.com/gui/file-analysis/OTI5Yjk5ODgxMGVlMDBlNmQwODQ2NmE4YzViN2E1Zjk6MTcyMzE5NDQ3MQ==
Unless there has been malware in one of the NuGet packages for 4+ years I think these are just false positives. A quick look in dnSpy also reveals nothing. The executable just exits because no arguments are provided.
I think that these behavioral artifacts are a side effect of the sandbox, because when I add the following filter to Wireshark and run PluginDevBuildTool.exe it doesn't show any connections: ip.addr == 204.79.197.203 or ip.addr == 172.217.214.94 or ip.addr == 192.168.0.47 or ip.addr == 20.99.133.109 or ip.addr == 23.216.81.152. Additionally when using Process Monitor it shows no network connections at all from PluginDevBuildTool.exe
idan-h
commented
1 month ago Tbh I didn't have the time to look at it more deeply, but they aren't. My guess is that they are related to the .net framework, and that the exe triggers them, but they still seem quite weired.
The best check would be to compile without the IL Merge, and see if that's what causing the positives.
Hey, I did 2 different checks as my antivirus (windows) started screaming.
https://www.virustotal.com/gui/file/610ab4b0a7c8529254ffc894256a0f77621c975c6014a5d799d4e8c1e330ea9b https://www.virustotal.com/gui/file/3ada80cacda5e82adfe3bea72fcabf62e267700d846a7351913b18ac27c527d3
There are some unexplained external ip calls. I have looked at the code, and didn't see any. How is that possible? what is going on there?