Virustotal reports infected

Post questions and comments about installing the program, getting it to run on your computer, and unexpected error messages.
Post Reply
sdbpost
Posts: 2
Joined: Thu Oct 03, 2019 1:01 pm

Virustotal reports infected

Post by sdbpost »

Just downloaded and ran the installer through virustotal. Antiy-AVL detected Trojan[Packed]/Win32.Morphine. Here are the basic properties:

frp-standalone-04-02-17-setup.exe

MD5 60acf544e27ba69607eddb34b89e
SHA-1e0ecd5a320b4ae1efac2dbb7b90822fe03b33e70
SHA-256e86cace2bfa222417f0b34c5e36217898a0f95ba6f9eea62c14fb62992813377
Vhash037056655d5c05709043z8003b7z47z62z3e03dz
Authentihash5624667df7011656c5d6307166b1b71a437bb453cbbbc9c21f05129a74e7e1cd
Imphash7fa974366048f9c551ef45714595665e
SSDEEP786432:vOhAEzUJNlK7hUzqKlkEC+YzZ16aY39IxceSRy3yUOf84eSAkEhXTB:vuAEzUEOzqKlkEC+YdM1OTfO01SE
File typeWin32 EXE
MagicPE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size 37.81 MB (39651848 bytes)
jimr
Posts: 848
Joined: Thu Feb 28, 2008 6:48 pm

Re: Virustotal reports infected

Post by jimr »

My best guess is that this is a false positive or the installer is getting modified after the download.

I just did a quick scan using virustotal's URL based online scanner and it comes up clean. You might try first using the URL based scanner here:
https://www.virustotal.com/gui/home/url

and put in the URL for the program installer: https://www.flexibleretirementplanner.c ... -setup.exe

Assuming that's clean, the next step would be to upload the installer you're trying to run to see if the online tool detects anything in that.
sdbpost
Posts: 2
Joined: Thu Oct 03, 2019 1:01 pm

Re: Virustotal reports infected

Post by sdbpost »

I also see the URL based report is clean. What I did before my first post was actually your second suggestion. I repeated the download and then upload to virustotal.com on two additional computers, one of which I never log into. The same engine found the same trojan on all three systems. Unfortunately the URL based scan does not include the details found on the upload scan so it's hard to tell if virus total is seeing the same file.

It would really be helpful if someone else could repeat the upload so I can rule out a trojan that has spread across my home network.
jimr
Posts: 848
Joined: Thu Feb 28, 2008 6:48 pm

Re: Virustotal reports infected

Post by jimr »

When I upload a copy of the downloaded .exe to virustotal's online file scanner (not the URL scanner), I also get 1 out of 56 engines reporting a positive.

VirusTotal reports that the positive is from Antiy-AVL. I've emailed Antiy-AVL suggesting this is likely a false positive and am waiting for a response.

I double checked on my web host to make sure the file date is the same and I also rechecked that the file's security certificate still has a valid signature from Random Walk Ventures.

My best guess is still that this is a false positive, but you'll have to make your own decision about how to proceed. The file was uploaded to the web server in february. doesn't appear to have been modified since then and no other anti-virus engines are reporting any problems with it.

I'll post back here if I get a response from the folks at Antiy-AVL.
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests