edited title by me: FALSE POSITIVE. VM based analysis falsely flags Explorer Patcher

[Joshua079]

EDIT. So.... after being on vacation and forgetting about this all, I've come back to say this is 100% a false positive. Don't worry about any antivirus flags, and don't worry about VM analysis flags. The source code is clean.

https://tria.ge/231227-jb6vbaeaf8/behavioral1 Win10 VM
https://tria.ge/231227-jd2y5seca4/behavioral1 Win11 VM (detected more but also may have more false/innocent side flags)

With explanations maybe something can be pulled together but under the flagging section (category name of "signatures") it says it detected Lumma infostealer and it's payload, clearly flagged under your executable AND under chrome's cache presumably before it even downloaded (which would mean it'd be hash based detection for that). The other explanation for flagging cache is it drops a payload in Chrome's cache disguised as a regular cache file but I don't know. Sorry, I don't want to make enemies, I just want to be transparent and honest not only under this github page and with the owner (I use other things they make), but most importantly with the people looking at this project. (This was all done with behavioral analysis, to be clear. Not hash based flagging)

[Joshua079]

Just by the way, no shade or biased views here. This type of thing can leave a dev's reputation in shambles. If this is somehow a false positive it's not entirely impossible to deny it. Just be aware I'm not trying to hurt anyone, but I'm also trying not to let people get hurt and such a detection is very serious, especially when it's a VM based detection as those aren't hash based. (although clearly, the cache was a hash based detection but that also could be a maliciously planted file to there's two sides to that detection)

[pyrates999]

This is a false positive and already filed as an issue: #2610

[Joshua079]

This is a false positive and already filed as an issue: #2610

This wouldn't apply there. Those are hash based detections. These are behavioral. I should've used this term in my original post, I'll edit it in right now. But VM analysis is also known as behavioral analysis in malware analysis (lot of words there lol. Sorry.) and with bahvioral analysis, you aren't just hashing files and slabbing a name on it, your looking at the behavior occurring inside the VM and slabbing a name on those actions processes took. That doesn't mean there can't be a reasonable explanation for all this, but it's a lot lot harder to prove innocence against behavioral analysis.

[pyrates999]

Sorry, there's nothing that can be done as far as I know.

[UCyborg]

I don't think behavioral analysis can really tell "good" behavior from "bad" behavior. The fact is that ExplorerPatcher modifies Explorer's code at runtime. This will always be suspicious from anti-malware software's point of view. Same techniques can be used by good and malicious software alike. There aren't really alternative methods in this case, other than convince Microsoft to implement ExplorerPatcher's options in their Explorer shell so there's no need for a 3rd party utility.

[pyrates999]

If you're basing this on EP doing binary patching of explorer's code, then you might as well close this because it can never be fixed.

[Amrsatrio]

Certainly a false positive.

I've went through all of EP's code, and NONE of the files in them contain "stealers" or such. All of the code that goes into ep_setup.exe that is distributed in this repository are open source, in this exact repository. It's there for everyone to see. And if there were suspicious stuff such as stealers, numerous people would've reported in issues already, or even caused some headlines in tech sites.

Yes, I might be using portions of code that stealers might use such as FindPattern which is used to locate a portion of code for patching purposes, in that case there is really nothing I can do.

Speaking about "behavioral", it is basically how EP was designed to carry out its tasks: modifying Explorer's code during runtime. Again, there is really nothing I can do to eliminate these "behavioral" threats.

That's all I can say for now, and I hope that you understand.

[Joshua079]

I do truly understand. I had a whole response prepared but as I looked into it I ended up going through 4 whole revisions for responses. I also went through the code and found nothing was wrong with it, at least at face value. My last concern is if code was contributed before his commit and the commit he made enabled the nested, dormant code. But it's not that big of a concern of mine. I'm just going to contact Recorded Future/Hatching for a comment on it. Maybe there's some internal work that needs to be done and this could be a thing they could fix themselves. It's just odd that the program was flagged specifically for Lumma Infostealer. But I do trust you. I'll just be looking into things on the side lol. I'll update here for whatever. Especially if I get an interesting response from them.

[Amrsatrio]

his commit and the commit he made enabled the nested, dormant code

Whose commit? Can you link if possible?

[Joshua079]

The first release Amr Satrio contributed to, prerelease 22621.2283.57.1 uploaded Sep 22. I'm not much of a code guy, so this could possibly not have any ability to enable other code, but when I realized he contributed not much of significant value and it still started flagging. Idk it just seemed suspicious. 🤷‍♂️

[Amrsatrio]

Yeah, it's me. I contributed a lot since then to keep EP relevant. The new FindPattern function that I've added might've contributed to the false positive.

Since this thing is open source, in my opinion the results of these behavioral analysis services are not valid until someone who understands C/C++ can confirm that it is indeed safe.

[Joshua079]

I've edited the top stuff and title. I'm thinking of keeping this here for archival of the process but as found in the above thread from the person who MADE the commit that started this all, every flag is a false positive. I'm glad this is completely safe and I was scared I came across some big malicious project that was waiting to be found out. Because of the nature of behavioral analysis, it shows no mercy and makes no exceptions which is the glory of it, but also a downfall at the same time. This may stay a false flag forever, but I hope something can be figured out none the less.