Jump to content

Malware in SADX Mod Installer?


cuzbabytonight
 Share

Recommended Posts

https://www.virustotal.com/gui/file/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb/relationsUntitled.thumb.png.0cd3b1a55230c65ae7f51dc230f8f44e.png

The web version of the installer downloaded from the official site has 4 hits on VT, but it contains this extremely suspicious 51 hit bundled file. Even after a rescan, the installers detection doesn't rise above 4 hits, which is very odd if it has a 51 hit bundled file, is there something broken in VirusTotal or is this real malware? I have encountered this situation on VT multiple times already.

Link to comment
Share on other sites

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

Link to comment
Share on other sites

17 hours ago, ViperAcidZX said:

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

Yeah, but 51 hits is an extremely high number of detections, I've never seen any false positives like that. What weirds me out is that even after rescaning the installer it doesn't go higher than 4 hits, it should light up with reds like a Christmas tree if it really has a 51 hit bundled file.

UPDATE: Hybrid Analysis (which includes VirusTotal) didn't find any malicious bundled files. https://hybrid-analysis.com/sample/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb

Something very strange is going on with VirusTotal.

Edited by cuzbabytonight
Link to comment
Share on other sites

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

Link to comment
Share on other sites

16 hours ago, dei_do said:

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

Link to comment
Share on other sites

1 hour ago, cuzbabytonight said:

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

The better thing would probably be opening an issue on the mod installer's repository, as it is open-source. Or you can replace the 7zr executable and then build the mod installer yourself if PkR refuses. You can probably even make a pull request for that.

Edited by dei_do
Forgot about pull requests
Link to comment
Share on other sites

541c6aa57ddd7da0c6902aa1e92155eb.virus seems to drop and execute various files, including what seems to be an infected copy of Chocolatey which drops this executable disguised as a changelog, an executable called Zombie.exe which is dropped into the system folder and is also dropped by various other *.virus files, a fake version of an Acrobat Reader installer, and a couple of executables disguised as log files.

Along this web there are various outside connections to seemingly-random websites, various IPs, several bitcoin-related URLs and many connections to trojans purporting to be things like Acrobat Reader, logs or temporary files.

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

Link to comment
Share on other sites

14 hours ago, Paynamia said:

This is the scan for 7zr.exe extracted.
https://www.virustotal.com/gui/file/73628e0b1566de03c0d846cb774bf5ae02cb5c363988ced5be23aeba3275b72e
No idea what VT is finding, but apparently it's a file named "541c6aa57ddd7da0c6902aa1e92155eb.virus".

Very concerning that the file was found instead of the 7zr executable. That might indicate that whoever originally uploaded it to VT had their PC infected.
Though I admit that I was mistaken about the 7zr executable itself.

11 hours ago, Paynamia said:

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

This seems to confirm what I wrote above.

Link to comment
Share on other sites

3 hours ago, dei_do said:

That might indicate that whoever originally uploaded it to VT had their PC infected.

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

Link to comment
Share on other sites

2 hours ago, Paynamia said:

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

I didn't mean you, the file might have been checked on VT before you did the same.

Edit: Ah wait, I'm dumb. Yeah I don't know what happened there if the checksums are the same.

Edited by dei_do
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Found PCGamingWiki useful? Please consider making a Donation or visiting our Patreon.
  • Who's Online   3 Members, 0 Anonymous, 412 Guests (See full list)

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Forum Statistics

    1.8k
    Total Topics
    9.2k
    Total Posts
×
×
  • Create New...