Inquiry about a false positive. (IMPORTANT)
Inquiry about a false positive. (IMPORTANT)

Hello everyone,

So, I was looking for a way to compress a folder online, and I saw a webpage called “WinZip.com”, more specifically “https://www.winzip.com/en/learn/features/compress-folder/”, it looked fine, and it didn’t trigger Malwarebytes defender nor Ublock Origin in the slightest. I thought that it was an online process, so I clicked on the “Compress you file” button. It downloaded immediatly a file called “WinZipStubInstaller.exe ” [Hash: b706eb45419c20fa60de564b8713bfa68fa0d4f3b8aee287ac61242a535e16f2 ], (I never executed the file) so becuase of that, I immediatly uploaded the file to VirusTotal.com and I got this:

https://preview.redd.it/7t4nmrsr75oa1.png?width=1920&format=png&auto=webp&v=enabled&s=5344cfc37b649e19ff46a42ccbbc38a7af173f17

I then copied the download link, and scaned it, and instead of the same thing, I got this:

https://preview.redd.it/a31kw1s485oa1.png?width=1920&format=png&auto=webp&v=enabled&s=71e5c61753e3fc5a2072be687054e6f1805290aa

And as for the WinZip webpage I got the same, no threats detected:

https://preview.redd.it/tnuhkwcb85oa1.png?width=1920&format=png&auto=webp&v=enabled&s=bd17d5b5495b8a67bdb791b1684e9ef62a91bacc

After all this, I ran Windows MRT, then I ran Malwarebytes full scan, and nothing was detected. I scan the “WinZipStubInstaller.exe ” file individually with Malwarebytes, and nothing was detected. I now deleted Malwarebytes, and I am now doing a full scan with Kaspersky (as for now nothing has been detected yet). The thing is that I don’t know if without having run the file, I am aware that viruses and malware can still be installed. I also used the hash that virustotal.com gave me, and I uploaded in Kaspersky Intelligence Portal, and it says that there is not threat, but that there are suspicious activities in the file:

https://preview.redd.it/8scyjrp895oa1.png?width=1920&format=png&auto=webp&v=enabled&s=55c54f62e898be3dbb39d4b62ba3a818233bf8f3

https://preview.redd.it/p3zr1haa95oa1.png?width=1920&format=png&auto=webp&v=enabled&s=87e3abfe56c6fbe6b0d8099c84c3e18057973a76

Finally I went to Hybrid Analysis, and search for the file hash, and I found that it has been detected as malicious:

https://preview.redd.it/ig3bqm7j95oa1.png?width=1920&format=png&auto=webp&v=enabled&s=4ae7fef0107b734df4bee4dd50c5c4181621c941

https://preview.redd.it/h0wi0ihm95oa1.png?width=1920&format=png&auto=webp&v=enabled&s=54264bb0add7ebb8a8ce7538b27414e2f2880d49

The thing is that here it shows that virustotal.com didn’t detect it, but so far it has been the only one that has detcted it, so I started to get confused. I decided to look for the vendor that dected the virus, and it shows that zilya! is the only one to have found it, both in Hybrid Analyisis and virustotal.com.

https://preview.redd.it/iepqkex5a5oa1.png?width=1920&format=png&auto=webp&v=enabled&s=22bf2c9f07e2ac172867b6adc48fe3354ae144e6

So when I looked for zilya, I found that even the webpage looked weird, and I decided to look even further, and then I looked for the “Jiangmin” that showed in virustotal.com, and I stumbled upon many forums and reddit pages saying that usually the files marked with “Jiangmin” as a threat are false positives.

So what do you think? Could I have been infected even if i never executed the file? Is this a false positive? If I am infected, what should I do next?

Thank you for you help, and so sorry for the lenght of the post, I wanted to be as thorough as possible so that you can have all the information to give me your opinion.

Edit: Kaspersky already finished, and it detected 0 threats (: .

submitted by /u/_jake2240_
[link] [comments]

Go to Source of this post
Author Of this post: /u/_jake2240_

By admin