Jump to content

Touhou 6 download link literally has multiple malwares in it.


Popcorn1339

Recommended Posts

Just a heads up, the "unsafe" and "harmful files" category is just for files that have been scanned by Hybrid Analysis and which was assumed to be harmful. (Obviously I think it is probably harmful.) But you can check it out yourself by going to the link for the files that I marked harmful/unsafe. 

 

Link to comment
Share on other sites

Well, Touhou06.exe seems to be the game file. The sandbox seems to be fine and mark it as "No specific Threat". STARUPINFOA = The code checks for what model your computer is, what it looks like when it boots up, basically everything for a set amount of time during startup. I marked it as harmful as the virus websites (which contains virus softwares) did. But virus softwares could create false positives. So... it could be safe? Just be cautious when running it.

Link to comment
Share on other sites

7 hours ago, Popcorn1339 said:

Oh fine, I'll just put the info in...

*This is what I've scanned so far in the download files.*

Safe Files:

custom.exe (96 KB) (https://www.hybrid-analysis.com/sample/5ab1f4e8bf31fc4f8484ab0882a882f0fb399ba758fc98601ae9a6f6e69b5cdf) 

enbconvertor.ini (113 bytes) (https://www.hybrid-analysis.com/sample/a200f7e7263e1913a73ef11904e49eaf1046c91f00e916a514e4d5691300de7f) (No sandbox)

Instructions.txt (431 bytes) (https://www.hybrid-analysis.com/sample/347e7cf1eee6c52d000e839110afd44f179fb44db012e2c62a134226992b200a) (No sandbox)

vpatch.exe (46 KB) (https://www.hybrid-analysis.com/sample/29a933678de5dc4bf7941ff8587e3fe2a4794f3cfdad94453200151376f6388a) 

vpatch.ini (319 bytes) (https://www.hybrid-analysis.com/sample/83dc1f784850a44a11132828a5e0ba3215d42b55cac5952d3a08c15b87accecf) (No sandbox)

東方紅魔郷.cfg (56 bytes) (https://www.hybrid-analysis.com/sample/fc7e2c23621b3dd3e4e4e9d7357db4fc23da2602e61b47bc9300fe49ccfba551) (No sandbox) 

紅魔郷CM.DAT (914 KB) (https://www.hybrid-analysis.com/sample/a899853d04e214ae4df8090bad7fd42698527027aa9dfccb4650fbb1d7828a0a) (No sandbox) 

紅魔郷ED.DAT (1.9 MB) (https://www.hybrid-analysis.com/sample/3fbb51f00785c98d6b4141a7a5a303f5955df3d181d2f220c2c6e81d717e9fee) (No sandbox)

紅魔郷IN.DAT (743 KB) (https://www.hybrid-analysis.com/sample/65d7ee9c4303bcb39f5f08a0ceaf7004e47fccc8242fd73db54b31a911f41af0) (No sandbox)

紅魔郷MD.DAT (299 KB) (https://www.hybrid-analysis.com/sample/8f8db1918842857a63eb7c76e7f971fb931203a6239c26828304fa3ce12da911) (No sandbox)

紅魔郷ST.DAT (2.8 MB) (https://www.hybrid-analysis.com/sample/0f834a35aef2d73b05cffecc830c017dacbcc6f11b9a0611a9da2f3970a112e7) (No sandbox)

紅魔郷TL.DAT (1017 KB) (https://www.hybrid-analysis.com/sample/c05f4fa755602f9369d7cebd5689cf3655ec81bb746f5b269ee0faf3d5f0a020) (No sandbox)

act_nut_lib.dll (109 KB) (https://www.hybrid-analysis.com/sample/e43941c738d872be52252b8a877662ed72ccab93d570659c305b934e207f499b) (No sandbox?)

bmpfont_create_gdi.dll (18 KB) (https://www.hybrid-analysis.com/sample/3ca8782a92829115b51d8fd6fc5fdf9c277c38733ff7bc1eb6d9aee1b84bfa5c) (No sandbox?)

bmpfont_create_gdiplus.dll (22 KB) (https://www.hybrid-analysis.com/sample/7a5eb7ea951678c32215a392c8229d076280e838e106e0e99478daee4474bf28) 

jansson.dll (44 KB) (https://www.hybrid-analysis.com/sample/78afe707ead28fb8bddf45ce30cecff3b30c9e6f1dbd8b2a64df7650acd03d08) 

libpng16.dll (154 KB) (https://www.hybrid-analysis.com/sample/4b329ca666f060739e045d339627e048f5b2a002d26dc50a7f9e1053ff900c91) 

Unknown Files:

dsd8.dll (100 KB) (https://www.hybrid-analysis.com/sample/1f0471c8fa53b035aa27d6d6505275e2ee0db55b6538b4e31fd79e54ce065759) 

東方紅魔郷.exe (500 KB) (https://www.hybrid-analysis.com/sample/9f76483c46256804792399296619c1274363c31cd8f1775fafb55106fb852245) 

thcrap_loader.exe (14 KB) (https://www.hybrid-analysis.com/sample/2c14782f1d2128a4cfede55293dc4b2a132458ecc60c7c642ff261e08d4c60f1) 

Harmful Files:

Touhou06-Config.exe (12 KB) (https://www.hybrid-analysis.com/sample/81329d804eb581292b4ec182a6c25faacce59b61eec91e6f744208e3ea5424da) (File is questionable at best)

Touhou06.exe (14 KB) (https://www.hybrid-analysis.com/sample/96fba15a5706e0c0e745dd2dbb93cb628247d1c855f15dfb2588d381597c30e3) (File is questionable at best)

vpatch_th06_unicode.dll (88 KB) (https://www.hybrid-analysis.com/sample/cc2513317da9ea8c832ef6d9cd95d12ead14b991a1eaed2d4c0fc27978b74e04) (File is questionable at best)

thcrap_configure.exe (17 KB) (https://www.hybrid-analysis.com/sample/ab9d0f1e76efcb6b9545c924e056568eba47f649e12f4076bea8a26d82c39380) (https://www.virustotal.com/graph/embed/gf2757a0e834448ca9d890f012c9921c112d6917d4d2a418ea2961b548e9dbe52) Well then, it seems that this exe file is communicating with another file that clearly has malware in it. (File is questionable at best)

 

Before you start doing analysis of these files, you have to understand key thing, most antiviruses don't know if something is bad or good, they only know actions and popularity of software
Since all of these antivirus software that detected touhou files are pretty niche (you ever used that VBA64?), and the game itself is niche they just assume that it must be malware cause low-popularity rank (in their database), modified executables, and connection to update servers (translation, or patching).

Beside if this was actually real malware, you can bet that big companies like malwarebytes, or norton would flag it in their database by themself and not with automatic heuristic analysis (100% that they already have this file in their database, since it is in virustotal)

Also last file, it is not communicating with file that has malware, it is quite opposite. Someone on internet had the same files as here and packed them with malware [most likely], hence connection to this files, but it means nothing in this case. (Example: installers with adware are "Execution Parents" for legit software, but they also install adware [duh!])

So like I stated before everything points to this being false-positive.

P.S. If you are curious, you can check your own windows files and they might be flagged by some niche AV software, or get Osu! from their official website and you gonna see it is connecting to some IPs that are flagged by some guy as linked to "emotet virus" but in reality it just coincidence, cause viruses also can connect to legit IP adresses! So you can make assumption that everything is virus with that kind of mindset, so you need to look outside the box! (Hope you all the best in your future analysis though!)

Link to comment
Share on other sites

I was mainly confused with the results of the sandbox and the results of the antivirus softwares as the sandbox mainly said that it was fine, but the antivirus softwares didn't. (At that time, I knew about false positives and I thought that the softwares just used behavioral based detection to scan.) I just went with the results of the antivirus softwares. (Although I did take a look into the sandbox environment that the code was being run on, it only told me that the software was safe and wasn't running any processes that were suspicious. )

[For example, touhou06.exe was marked as malware by the antivirus websites, which consists of many different softwares, but was not marked as malware when run on a sandbox environment. Of course, I could do 2 options: 1. Scan the file more thoroughly by examining the processes that it did and confirm if it actually did have a malicious impact on the emulator. 2. Trust the antivirus softwares and just move on. "I assume you know what I did."]

Of course, I could've ran it on my computer to determine if it was really malware. But of course, I was/still am too cautious. 

Link to comment
Share on other sites

10 hours ago, Gcat said:

This topic was one of the first things i saw on here. I just joined. Is there a virus or no, because i was looking forward to play this.

The conclusion of this thread is that there is no virus involved on this website, at least as of the current version of the file.

That is what I meant to do

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.