Jump to content

Malware in SADX Mod Installer?


Recommended Posts

https://www.virustotal.com/gui/file/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb/relationsUntitled.thumb.png.0cd3b1a55230c65ae7f51dc230f8f44e.png

The web version of the installer downloaded from the official site has 4 hits on VT, but it contains this extremely suspicious 51 hit bundled file. Even after a rescan, the installers detection doesn't rise above 4 hits, which is very odd if it has a 51 hit bundled file, is there something broken in VirusTotal or is this real malware? I have encountered this situation on VT multiple times already.

Link to post
Share on other sites

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

Link to post
Share on other sites
Posted (edited)
17 hours ago, ViperAcidZX said:

I've used SADX Mod Installer many times before, both web and offline installers, and nothing malicious infected my PC when using it. It could be a false positive from how it applies compatibility settings to the game and some of the mods it pulls from.

Yeah, but 51 hits is an extremely high number of detections, I've never seen any false positives like that. What weirds me out is that even after rescaning the installer it doesn't go higher than 4 hits, it should light up with reds like a Christmas tree if it really has a 51 hit bundled file.

UPDATE: Hybrid Analysis (which includes VirusTotal) didn't find any malicious bundled files. https://hybrid-analysis.com/sample/c42d96bb0c3f2126d763dc14cc53aa1ae609892f468dd9bba80c09c172a1fadb

Something very strange is going on with VirusTotal.

Edited by cuzbabytonight
Link to post
Share on other sites

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

Link to post
Share on other sites
16 hours ago, dei_do said:

I've just looked at the files inside the SADX Mod Installer and it turns out the file with 51 hits is the 7zr (7-Zip) standalone executable which is used to extract downloaded mod archives. It's definitely weird.

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

Link to post
Share on other sites
1 hour ago, cuzbabytonight said:

What if one was to extract the mod installer and replace the 51-hit 7zr file with non-sketchy version? Would it still work?

The better thing would probably be opening an issue on the mod installer's repository, as it is open-source. Or you can replace the 7zr executable and then build the mod installer yourself if PkR refuses. You can probably even make a pull request for that.

Edited by dei_do
Forgot about pull requests
Link to post
Share on other sites

541c6aa57ddd7da0c6902aa1e92155eb.virus seems to drop and execute various files, including what seems to be an infected copy of Chocolatey which drops this executable disguised as a changelog, an executable called Zombie.exe which is dropped into the system folder and is also dropped by various other *.virus files, a fake version of an Acrobat Reader installer, and a couple of executables disguised as log files.

Along this web there are various outside connections to seemingly-random websites, various IPs, several bitcoin-related URLs and many connections to trojans purporting to be things like Acrobat Reader, logs or temporary files.

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

Link to post
Share on other sites
14 hours ago, Paynamia said:

This is the scan for 7zr.exe extracted.
https://www.virustotal.com/gui/file/73628e0b1566de03c0d846cb774bf5ae02cb5c363988ced5be23aeba3275b72e
No idea what VT is finding, but apparently it's a file named "541c6aa57ddd7da0c6902aa1e92155eb.virus".

Very concerning that the file was found instead of the 7zr executable. That might indicate that whoever originally uploaded it to VT had their PC infected.
Though I admit that I was mistaken about the 7zr executable itself.

11 hours ago, Paynamia said:

EDIT: I ran the installer with any.run, I took it as far as possible in a sandbox without a copy SADX and up to then, nothing malicious occurs.

This seems to confirm what I wrote above.

Link to post
Share on other sites
3 hours ago, dei_do said:

That might indicate that whoever originally uploaded it to VT had their PC infected.

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

Link to post
Share on other sites
2 hours ago, Paynamia said:

Seems not, I uploaded a freshly downloaded copy of sadx_installer.exe and the SHA256 matched what was already online.

I didn't mean you, the file might have been checked on VT before you did the same.

Edit: Ah wait, I'm dumb. Yeah I don't know what happened there if the checksums are the same.

Edited by dei_do
Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Found PCGamingWiki useful? Please consider making a Donation or visiting our Patreon.
  • Who's Online   2 Members, 0 Anonymous, 614 Guests (See full list)

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Forum Statistics

    1,569
    Total Topics
    8,487
    Total Posts
×
×
  • Create New...