Kaspersky
Question

False Positive: my code is detected as HEUR:Trojan.MSIL.Crypt.gen

  • 18 December 2020
  • 4 replies
  • 169 views

Hi,

My main file Bravo8.exe has been detected by the newest updated Kaspersky Internet Security in Windows 10 as “HEUR:Trojan.MSIL.Crypt.gen”.

 But undetected on https://opentip.kaspersky.com/ 

This file is written by C# .NET Framework 4.5 just copy itself to temp folder to run then create a new AppDomain with shadow-copy then ExecuteAssembly other .NET executable file.

The file using babelfor.NET 8.7 to obfuscate, merging, anti-reflect, anti-tampering… I’ve attached it here.

What should I do now?

Thank you!


4 replies

Userlevel 7
Badge +8

@pocketme Welcome.
If not yet done please click in Kaspersky OpenTip  on “Submit to reanalyze”,
also here is the Kaspersky Whitelist information.
 

Hi, Berny. I did submit to reanalyze. I have accessed https://aws.kaspersky.com/file-reputation but I really dont get your point, sorry. How can Kaspersky Whitelist solve my problem?

Thank you!

Userlevel 3

Hi,

 

I have downloaded your attachment now and I scanned your file with KIS - 21.2.16.590 (a) version, and detected nothing malicious, says “safe”. And i analyzed with analyze.intezer.com site and in dynamic execution part, only found one suspicious packed process, and only in that process, found some malicious codes named “malicious packer” and “ evrial” and as a result of scan Intezer says “unknown” - “unique code”. The problem about KIS seems  got solved for your file. I just wanted to inform you.. 

Best wishes

 

Edit: I didn’t read your post carefully, sorry, i think this file was the obfuscated,merged,anti-reflected,anti-tampered one. :) You can check your original file time to time with kaspersky , after “kaspersky whitelist” solution they suggested.

Userlevel 7
Badge +8

@pocketme This community cannot resolve FP issues, please contact K-Lab Technical Support https://center.kaspersky.com 

Reply / Ответить