Tool from "UserBenchmark" marked as mallware, but generic?

Hello @iOne 

Save a Scan log and post the line that shows the infection! Go to the WSA icon near the clock and right click on it ans select “Save a Scan Log” it should be near the bottom of the log.

I don’t have any in my log but should look like this!

[G] C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe [SHA256: 6316EBAABBFFD60B1A541474C1B7C46DA2580EB71BDD6C9FB5DE33F87DC5872C] [MD5: F96B3B282F4905F45207D66E3F40E294] [Flags: 00101000.7902]

Thanks,

I checked it out in one of my VM’s!

Tue 2023-10-03 12:22:31.0603    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0603    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0604    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0963    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0369    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443    Infection detected: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443    Infection found in realtime: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0446    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0447    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0483    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [(null)]

If you feel it’s a False Positive please contact Webroot Support Directly and they will help you!

Webroot Support:

Submit a ticket 24/7/365 and the best way.

Call 1-866-612-4227  during the week Mon - Fri 7 AM to 5:30 PM (MDT)

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

Thanks,

Bad as in what bad?

Mallware is a very generic term.

If it means the program is collecting data and reporting it to a central sever on launch, well, yes…. that’s what it’s supposed to do.  If it’s doing more than that, it’s a problem.  But what “more”?

Tue 2023-10-03 13:08:54.0525    Infection detected: C:\Users\bryce\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
 

I’m just going by what they said:

Webroot Support (Oct 3, 2023 19:46)

RE:Is this bad or a FP?

Hello Daniel,

Thank you for providing us the file information. For this file we are keeping our determination as bad and you may allow this locally should you need it.

Regards,
Zach P.
The Webroot Advanced Malware Removal Team

 

 

Also the file when installed is much larger! Size: 14264876 bytes

https://www.virustotal.com/gui/file/f214da57ea18f3c4bef70f0f5f0c540b889bf214cadd6b011dc1f0a30bb528fd?nocache=1

The download is only. And the installer from VirusTotal https://www.virustotal.com/gui/file/ed3a4d2c00348ee99205c7d2f1c69405b0ab046ce10566c7d74ba0e190b75ed6

But after installed!

https://www.virustotal.com/gui/file/f214da57ea18f3c4bef70f0f5f0c540b889bf214cadd6b011dc1f0a30bb528fd?nocache=1

“Matches rule Malicious payloads that are hidden in fake Windows error logs by Ariel Millahuel at SOC Prime Threat Detection Marketplace”

So there is much more going on then what support told me. Maybe contact support and ask them yourself?

It appears they use NSIS which is a small bootloader:

https://sourceforge.net/projects/nsis/

That then brings in the full program.  Which, by the way, is a portable EXE that’s not actually installed just dropped into a folder.

The question remains: is the installer triggering these warnings, or some actual behavior of the program?

Contact support and ask them as they would know! @DanP can you add anything here?

Thanks,

Hey everyone!

For this software you will have to just do a local allow (manual override) as stated early in this post.

For reasons as to why our Research Team will not be whitelisting this vendor’s files:

It's unsigned, It escalates privileges, it creates an executable file (exe that creates and exe), it writes executable commands to log files.  We have historically reversed single hashes of this file and again it's not that we think it's overtly bad but in the age of BYOV and other supply chain attacks there just isn't enough safeguards for us to whitelist. 

They will be discussing this niche of questionable software in broader org meetings so please let us know your feedback!

Thanks Tyler for your explanation! 👍