False Positive: XVI32.EXE and XVI32.LNK

[CubeCentral]

This program is a very old Hex Editor that has been around for years.  This morning Malwarebytes reported it as having "Ransom.Dharma" after many many previous scans completing without a detection.

Please find attached the log file and the two files in a zip file.

XVI32.zip

Edited April 26, 2018 by miekiemoes
Edited per user request to remove the log.

[miekiemoes]

Thanks.

Verified this is an FP indeed and will get fixed in next database update.

Thanks for reporting!

[CubeCentral]

You're welcome!

I re-downloaded it from the author's website on another PC and confirmed the hash:

                MD5                             SHA-1
-------------------------------------------------------------------------
b806596b3a2e3d6c31a3c35d2fda363e c5beeaef85c8e9b1481fe5974e3bfe1481c1add4 xvi32.exe

Since the new copy I downloaded, and the "installed" copy which got flagged were identical, I felt confident that it was a False Positive.

I've also e-mailed the author asking him to post a hash on his website so that future questions of his program's validity may be quickly determined.

Cheers!

 

[miekiemoes]

Good research-work! and thanks for the heads-up!!

 

[takosan]

Did this benign hex editor get out of database?

It is coming up as false positive - specifically Malware.AI.380569028 ...

[Porthos]

2 hours ago, takosan said:

It is coming up as false positive - specifically Malware.AI.380569028 ...

Please zip and attach the detected file and the log showing your detection.

[takosan]

For the life of me, I can't find the ZIP file I downloaded from the official size. It's possible I deleted it after install. I'm sorry it is not useful without the source. The only thing I know is I downloaded & installed from their website. Anyway here's the report:

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.3805690928, C:\USERS\xxxxx\DOWNLOADS\XVI32.ZIP, No Action By User, 1000000, 0, 1.0.36191, FDC1FCEC6A9B2766E2D63C30, dds, 01086970, D756F876C08F50E5255833385767B777, 4F7EECB1FABBBDE739D5D842468869217A427B8C91BAFDA19B465B0E9137AF3B

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[miekiemoes]

Thanks.

This looks like this has been fixed already as I can't reproduce detection anymore.