Korg3_Keygen malware?

Discussion in 'Software' started by SansUT117, Nov 19, 2021.

  1. SansUT117

    SansUT117 Member

    Joined:
    Oct 26, 2020
    Messages:
    30
    Likes Received:
    7
    Are the Korg keygens safe? The ones on the sister site by RET apparently leave a lot of files related with VMWare that are decoded with Base64 along other stuff related with 'MicrosoftEdgeUpdate.exe' and 'msedgeupdate.dll' that are kinda suspicious. Not really sure about the details because the test was done by someone else but they labeled it as dangerous?
     
  2.  
  3. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    141
    Likes Received:
    44
    they are safe, end of story.

    they (and other keygens) are routinely labeled as malware, coz breaking protections is a bad thing, isnt it? but the keygen could be infected, of course. just use a reliable & trustworthy source, like the sister's site (wise choice of you!) i never ever got into any trouble with stuff from it.

    i took a look at legacy cell's ret keygen, 742,912 bytes. not even a megabyte. vmware? go to their page, id guess half a gigabyte? ret are really good, but i dont think even they are able to put vmware into a 700 k keygen :)
    but please, ask this "someone else" for details. or is "someone else" an antivirus? maybe online service? please be honest, otherwise the whole thread is more than useless!
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  4. SansUT117

    SansUT117 Member

    Joined:
    Oct 26, 2020
    Messages:
    30
    Likes Received:
    7
    I explained it wrong because I am very monkey on this kind of topic but I will just copy paste their findings.

    "It's basically this:

    The keygen file in analysis pings for the Microsoft edge executable and a base64 encoded information (which decoded shows us an update installation for edge version 1.3.147.37) along with some process from the downloaded msedgeupdate.dll. This pattern is very similar to this malware (https://www.estsecurity.com/enterprise/security-center/notice/view/8960?category-id=6) that uses that download data, msedgeupdate.dll and a malicious XOR operation to decode and execute malicious data.

    Dropped files include PowerPlan.log and a "javascript" ConDrv which are suspicious. Checking the hash for "ConDrv" in virustotal shows other files with the same hash with ip related names and malicious execution parents

    writes temp log file for ipconfig, which is an application that can be used to grab your IP. very suspicious

    THOR APT Scanner has a signature match for IsmDoor malware, which uses DNS tunneling to transmit data. Also a suspicious indicator of a packer also used by IsmDoor

    Opens very suspicious executables such as "C:\Users\user\Desktop\software.exe", "C:\Users\user\Desktop\program.exe" and "C:\Users\user\Desktop\executable.exe", these have in common with IsmDoor (https://www.virustotal.com/gui/file...e4b7c37b51f2768c08/behavior/VirusTotal ZenBox)

    Intentionally tries to detect a virtual machine to hinder analysis and detection (string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&) (here is another malware that uses this: https://www.joesandbox.com/analysis/518394/0/html)

    tons of files opened for remote desktop protocol/services, very suspicious

    here are the virustotal analysis
    https://www.virustotal.com/gui/file...584c9b5fe6030559331a0d653fea958/behavior/C2AE"
     
    • Interesting Interesting x 1
    • List
  5. Guitarmaniac64

    Guitarmaniac64 Platinum Record

    Joined:
    Jun 5, 2011
    Messages:
    1,184
    Likes Received:
    223
    You may find this answer rude but it's the simple thruth
    All those crappy Malware and AV software even thinks old midiprogram is malware and even alot of legit software aswell.
    Its called false positive.
    But if you are afraid i say stay out if the warez world and dont ask anymore question here or elsewhere
    Instead buy all your software (and dont be supriced if some of those get red alert on your AV software that happens alot)
    People like you that is so afraid shouldnt be doing warez period!!
    You will post tons of new post here about this and that keygen will get red flag on your 6 - 10 software you have on your pc.

    But if you are interrested here is a tip i havent have an AV installed on my PC since 2007 i only have a good firewall sometimes if i get suspicous that i have installed some program that could have some malware or virus (Those are never from the sister site its usually other softwares like ngraphic or similar softwares) i can install a malware program and do a scan and then uninstall it a.s.a.p and even do an online antivirus scanning and the only thing they find is keygens and some patched exe files and still my PC works just fine.
    The choice is yours.
     
    Last edited: Nov 19, 2021
    • Like Like x 1
    • Winner Winner x 1
    • List
  6. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    141
    Likes Received:
    44
    like @Guitarmaniac64 said, do or dont. "im not sure" and "but my antivirus has flagged" points to "no, warez is a harzardous thing for me, i dont want to take that risc". nothing bad mouthed, but you give them trust or you dont. and when you want to use anything warez related, a antivirus does more harm than good. a proper, reliable, trustworthy source, thats your protection against any virusses (viri?).
    anything has to be packed. when the authors of lsmdoor use the same packer, is the packer a bad thing? and anything thats packed with that packer? are counterstrike players all crazy shooters, because, the most of the school shooters play counterstrike even?
    the discussion is useless, you say "i will use warez, f*ck those false alarms" or you say "im a little pussy, i hesitate to touch warez, and anything illegal is a bad thing, at all!" :bleh:
    @Guitarmaniac64 hit the nail straight on the head, there are more than enough threads about virus alerts. please take a look, and watch the outcome!
    just a question, is music production your spare time fun, or do you want to become a pro?
     
  7. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    4,170
    Likes Received:
    3,161
    Yes you are safe.

    Lots of money is made from people's fears of viruses and Trojans.
    It's a whole security industry that scares you every day and earns a lot of money with it.
    Formula: create fear -> promise security -> sell products
     
  8. Polomo

    Polomo Audiosexual

    Joined:
    Oct 30, 2019
    Messages:
    784
    Likes Received:
    670
    If you're that scared

    1. Don't use keygens
    2. Use a second (Linux) Pc with a Windows VM to generate your licenses (Not work with every Keygen )
     
  9. Talula

    Talula Platinum Record

    Joined:
    Apr 22, 2018
    Messages:
    801
    Likes Received:
    224
  10. tnc

    tnc Kapellmeister

    Joined:
    Jun 16, 2011
    Messages:
    107
    Likes Received:
    60
    Location:
    New Zealand
    I've just made a deep analyze with a certain tool not mentioned here, which executes the file in a full system sandbox... and there's no network communication at all.

    Why would it include DNS tunneling applications when they are not used?....
    Nothing else is installed or executed after the keygen has shutdown either.
     
  11. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    141
    Likes Received:
    44
    @SansUT117,
    a lot of members took care of you & your "problem", incl a deep analyze, explanations about av & their manufacturers and those keygens in general... way too much for that matter! so be nice, say thank you, and use that damned keygen!!!
     
  12. Olymoon

    Olymoon MODERATOR Staff Member

    Joined:
    Jan 31, 2012
    Messages:
    4,199
    Likes Received:
    2,988
    Same old mafia method :yes:
     
  13. SansUT117

    SansUT117 Member

    Joined:
    Oct 26, 2020
    Messages:
    30
    Likes Received:
    7
    Apologize I just logged in. Thank you everyone for checking this!
     
Loading...
Loading...