I linked to this webpage through Steam and was concerned when Steam flagged the site as Malicious. I did continue to the site, and decided to use tools to determine if the file hosted here was malicious, including VirusTotal, where a Vendor had flagged the file as suspicious.
Curious, I uploaded the .zip file to Hybrid Analysis and ran a sandbox in a Windows 10 64 bit OS, where the Console.exe executable displayed several indicators that it could potentially act as spyware, including creating hooks in several APIs that were not listed in its Import Address Table (a possible mechanism for evading Antivirus and Endpoint Protection systems), which did everything from attempt to view and modify the Access Token (potential risk for Privilege Escalation) and view and edit the Registry (could be used to tamper with forensic information or gather data on other processes.)
Doesn't exactly instill a sense of trust in clients if you don't give a straightforward answer newman
Here's an updated scan, 14 suspicious flags but no malicious flags. Different scanning sites each show 1 each of several dozen scanning tools marking the code as malicious, but otherwise nothing else. Source code should be rewritten so windows doesn't flag it for such obvious errors. https://www.hybrid-analysis.com/sample/6e7bcd2fd24e9038bb340b6690bbbeaa96f530a265d00d1ebbc96bd63a13f15d
Give Feedback
Console.exe reading as potentially malicious through Hybrid Analysis sandbox, is this intentional? (4 comments)
Curious, I uploaded the .zip file to Hybrid Analysis and ran a sandbox in a Windows 10 64 bit OS, where the Console.exe executable displayed several indicators that it could potentially act as spyware, including creating hooks in several APIs that were not listed in its Import Address Table (a possible mechanism for evading Antivirus and Endpoint Protection systems), which did everything from attempt to view and modify the Access Token (potential risk for Privilege Escalation) and view and edit the Registry (could be used to tamper with forensic information or gather data on other processes.)
https://www.hybrid-analysis.com/sample/26de5215f1c7a1391ac935e25a96cd0f53668e8485f729f3db001606714aa3af
Is this behavior intentional? Could it be restricted to a Zero Trust model, or update the IAT? Thank you in advance for your consideration.
The program is open source. If you understand, you can check how it works.
Here's an updated scan, 14 suspicious flags but no malicious flags. Different scanning sites each show 1 each of several dozen scanning tools marking the code as malicious, but otherwise nothing else. Source code should be rewritten so windows doesn't flag it for such obvious errors.
https://www.hybrid-analysis.com/sample/6e7bcd2fd24e9038bb340b6690bbbeaa96f530a265d00d1ebbc96bd63a13f15d