Malware in SADX Mod Installer?

[cuzbabytonight 2]

https://www.virustotal.com/gui/file/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb/relations

The web version of the installer downloaded from the official site has 4 hits on VT, but it contains this extremely suspicious 51 hit bundled file. Even after a rescan, the installers detection doesn't rise above 4 hits, which is very odd if it has a 51 hit bundled file, is there something broken in VirusTotal or is this real malware? I have encountered this situation on VT multiple times already.

[ViperAcidZX 6]

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

[cuzbabytonight 2]

17 hours ago, ViperAcidZX said:

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

Yeah, but 51 hits is an extremely high number of detections, I've never seen any false positives like that. What weirds me out is that even after rescaning the installer it doesn't go higher than 4 hits, it should light up with reds like a Christmas tree if it really has a 51 hit bundled file.

UPDATE: Hybrid Analysis (which includes VirusTotal) didn't find any malicious bundled files. https://hybrid-analysis.com/sample/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb

Something very strange is going on with VirusTotal.

Edited April 25, 2022 by cuzbabytonight

[dei_do 0]

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

[cuzbabytonight 2]

16 hours ago, dei_do said:

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

[dei_do 0]

1 hour ago, cuzbabytonight said:

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

The better thing would probably be opening an issue on the mod installer's repository, as it is open-source. Or you can replace the 7zr executable and then build the mod installer yourself if PkR refuses. You can probably even make a pull request for that.

Edited April 26, 2022 by dei_do
Forgot about pull requests

[Paynamia 0]

This is the scan for 7zr.exe extracted.
https://www.virustotal.com/gui/file/73628e0b1566de03c0d846cb774bf5ae02cb5c363988ced5be23aeba3275b72e
No idea what VT is finding, but apparently it's a file named "541c6aa57ddd7da0c6902aa1e92155eb.virus".

I'd say make an issue report on Github about it.

EDIT: Made an issue myself. 

[PekaTVDmitriyPekar 0]

To be on the safe side, it is better to use SADX in a virtual machine or run it through Sandboxie. Or don't use SADX at all

[Paynamia 0]

541c6aa57ddd7da0c6902aa1e92155eb.virus seems to drop and execute various files, including what seems to be an infected copy of Chocolatey which drops this executable disguised as a changelog, an executable called Zombie.exe which is dropped into the system folder and is also dropped by various other *.virus files, a fake version of an Acrobat Reader installer, and a couple of executables disguised as log files.

Along this web there are various outside connections to seemingly-random websites, various IPs, several bitcoin-related URLs and many connections to trojans purporting to be things like Acrobat Reader, logs or temporary files.

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

[dei_do 0]

14 hours ago, Paynamia said:

This is the scan for 7zr.exe extracted.
https://www.virustotal.com/gui/file/73628e0b1566de03c0d846cb774bf5ae02cb5c363988ced5be23aeba3275b72e
No idea what VT is finding, but apparently it's a file named "541c6aa57ddd7da0c6902aa1e92155eb.virus".

Very concerning that the file was found instead of the 7zr executable. That might indicate that whoever originally uploaded it to VT had their PC infected.
Though I admit that I was mistaken about the 7zr executable itself.

11 hours ago, Paynamia said:

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

This seems to confirm what I wrote above.

[dei_do 0]

Just checked the cheksums in the Mod Installer I downloaded and confirmed they match with the scan for 7zr.exe above

[Paynamia 0]

3 hours ago, dei_do said:

That might indicate that whoever originally uploaded it to VT had their PC infected.

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

[dei_do 0]

2 hours ago, Paynamia said:

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

I didn't mean you, the file might have been checked on VT before you did the same.

Edit: Ah wait, I'm dumb. Yeah I don't know what happened there if the checksums are the same.

Edited April 28, 2022 by dei_do