False positive Trojan.Dropper.MSIL

[ProgModCon]

Please review attached file. This started happening today.

Thank you

pupilicensemanagergui.zip

pupilicensemanagergui.zip

[shadowwar]

Do you have a scan log or what program this is part of?

[ProgModCon]

Hi, I used virustotal.com

 

This is the additional information:

MD5 d4a49931af3c098db50b3842a3f7ce79

SHA1 8548d1b8e79614d1beea2224fc55b6efa4120905

SHA256 02bc963b117488d6106b4c2882620789a7e6e440166ec354fb1b9311a504fd5f

ssdeep

768:GFJrEL8d+GxaIE5TZq9rvKq8bm7oLcHOAK9S+rD3OdEh5CK4MNvYAgRcK7hK8T4n:Ar0AaIE5QVmb2js8+rr4MqKMh+moy820

authentihash  172f077e582e5dd57c5a05ab60283d6792140b3e43568697fae26777692e0eaf

imphash  f34d5f2d4577ed6d9ceec516c1f5a744

File size 64.0 KB ( 65544 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

TrID Generic CIL Executable (.NET, Mono, etc.) (51.3%)
Win64 Executable (generic) (19.3%)
Win32 EXE Yoda's Crypter (18.6%)
Win32 Dynamic Link Library (generic) (4.6%)
Win32 Executable (generic) (3.1%)

Tags

peexe assembly overlay

 VirusTotal metadata

First submission 2015-09-04 12:51:59 UTC ( 1 day, 5 hours ago )

Last submission 2015-09-05 17:53:25 UTC ( 0 minutes ago )

File names pupilicensemanagergui.exe

 

 

And the file info:

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

 FileVersionInfo properties

Copyright

Copyright © 2014

Product Aeij

Original name pupilicensemanagergui.exe

Internal name pupilicensemanagergui.exe

File version 1.0.0.0

Description Aeij

 PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2015-08-06 02:42:01

Entry Point 0x0000C9BE

Number of sections 3

 .NET details

Module Version ID 335e45d6-69ba-4d0b-b837-12f04ed0067b

TypeLib ID 385d3d05-b8cc-47d8-854f-0877f9d00fcb

 PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 8192 43460 43520 7.47 40dd753a94a6ce4de66e957674dcacba

.rsrc 57344 20932 20992 7.78 6a091433e0d80a58bd9566b0c1d7915f

.reloc 81920 12 512 0.08 d3fb05a2ed8c79f4b6357f822b08e82e

 Overlays

MD5 4e136e9d316116d4b1ad565b73d2ef4c

File type data

Offset 65536

Size 8

Entropy 3.00

 PE imports

[+] mscoree.dll

 Number of PE resources by type

RT_MANIFEST 1

RT_VERSION 1

APPRES 1

 Number of PE resources by language

NEUTRAL 3

 ExifTool file metadata

SubsystemVersion

4.0

LinkerVersion

8.0

ImageVersion

0.0

FileSubtype

0

FileVersionNumber

1.0.0.0

UninitializedDataSize

0

LanguageCode

Neutral

FileFlagsMask

0x003f

CharacterSet

Unicode

InitializedDataSize

21504

EntryPoint

0xc9be

OriginalFileName

pupilicensemanagergui.exe

MIMEType

application/octet-stream

LegalCopyright

Copyright 2014

FileVersion

1.0.0.0

TimeStamp

2015:08:06 03:42:01+01:00

FileType

Win32 EXE

PEType

PE32

InternalName

pupilicensemanagergui.exe

ProductVersion

1.0.0.0

FileDescription

Aeij

OSVersion

4.0

FileOS

Win32

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

CodeSize

43520

ProductName

Aeij

ProductVersionNumber

1.0.0.0

FileTypeExtension

exe

ObjectFileType

Executable application

AssemblyVersion

1.0.0.0

 

[ProgModCon]

the program is a license manager and it runs independently. 

[shadowwar]

A license manager for what program? Trying to document. So this wasnt from a scan of your computer?

[ProgModCon]

It is the license manager for a library called PUPI: visualprogramminglanguage.com

I can download Malwarebytes and run a scan if that helps.

[shadowwar]

Thanks. This will be fixed next update.