Hollows Hunter: False positives or not?

[tadev]

First off: hasherezade, thank you for your continued work on these incredible tools!

Not sure if this is the right place to post this.

So about 2/3 weeks ago I ran hollows hunter on my system, to my surprise it immediatly started dumping what I thought was legitimate software, in this case Blizzard's Battle.net.

After uploading the dumped executables to virustotal I was surprised to see that a couple detections were shouting Meterpreter. I thought at first that either the application itself had been exploited, however that seems very unlikely in such a controlled environment. Another possibility would have been that my slightly out of date system got exploited by other means and meterpreter was injected into 3 of the the Chromium Embedded Framework processes "Battle.net".

https://bazaar.abuse.ch/sample/5b9468610fd9202fc249242ea524a78b617fb1db1bd20191ffb3743f9ff6bfa7/
https://bazaar.abuse.ch/sample/6ead897a1b8a5ca2f7598b792d0d1801512748f55982e59d94de04d81047b81c/

Now I am not sure what to think of this, clearly a majority of AV solutions are triggered by these.
After this took place I ran multiple system scans with Malwarebytes, Kaspersky and Bitdefender: no detections.

Following a couple weeks later, I uninstalled Battle.net completely, including the deletion of all caches.
Installed it again, signed Installer and all, this time on a Win 10 LTSB VM with up-to-date Win Defender. Defender didn't detect anything.

hh64.exe /uniqd /imp 1 /iat 1 /pname "Battle.net.exe;Agent.exe;Battle.net Launcher.exe" /loop

Now this time, AV Products don't seem to detect Meterpreter anymore, instead a majority of them seem to find a "Razy" variant.

https://bazaar.abuse.ch/sample/d223a2adc450e8e4b4d02e94b805268e182a4b38451b344003a535be0ad4dfe6/
https://bazaar.abuse.ch/sample/84da4e653e5c61d3119d1590792ad3b24eb17be5fc2fbca69b30a314a5e35a3e/

I wonder what is going on here, these seem to be an awful lot of detections for a false positive. Dynamic analysis does not seem possible and at first glance I didn't see anything too suspicous in the disassembly. Mostly Blizzard related strings.

Could this be related to some form of Anti-Cheat software provided by Blizzard? Or are these indeed malicious?

[hasherezade]

Hi! Sure it is a good place to ask such questions, and you are most welcome!

I reviewed your files briefly, and they look to me legitimate, yet they do have some anomalies that make them look malware-like for some products. The fact that reinstalling the product didn't help, only support this. For the second set of files, I also see that some (yet lesser) AV products again detected it as Meterpreter (i.e. Kaspersky here ) so it must contain something that trigger this pattern, yet I would assume it is a false positive.

Regarding PE-sieve/HollowsHunter - I can tell you what exactly was the feature that triggered the detection if you can upload the JSON reports in addition to the detected samples.

[tadev]

Thanks for the reply.

For all of these it seems to be: "hdr_modified" : 1 "file_hdr_modified" : 1, "nt_hdr_modified" : 1

I've reported the Issue to Blizzard.

On an unrelated note, I've also been getting a whole bunch of "unreachable_scan" due to what I assume to be the scanned processes terminating before the scan finishes, is there a way to suppress the json output for scans that don't result in any dumps?

[hasherezade]

OK, so the indicators says that the header was modified at runtime, but the original file was not replaced (i.e. hollowed). So, PE-sieve says that it is indeed the legitimate file, not a malicious one, just detected some small anomalies.

Regarding the "unreachable_scan" your assumption is right. Currently there is no way to filter it out, but I will keep it in mind for the future releases, and provide some.