StoicGoose icon indicating copy to clipboard operation
StoicGoose copied to clipboard

Published 20 hours ago verified publisher icon xdanieldzd

StoicGoose.dll detected as trojan by Microsoft Defender and Malwarebytes + VirusTotal

Open Natsuki-Lucy-Marx opened this issue 2 years ago • 2 comments

StoicGoose.dll set off my Microsoft Defender. I allowed it to remove the file, but even before I did that the StoicGoose.exe process didn't actually open any windows.

After scanning the DLL on VirusTotal, Microsoft Defender gets set off again, but so does Malwarebytes.

image

image

image

Those IP addresses both lead to America.

Why is this DLL detected as a trojan?

Natsuki-Lucy-Marx avatar Jun 06 '22 11:06 Natsuki-Lucy-Marx

That's what I'd like to know, seriously. This (i.e. Defender flagging it as suspicious) has been mentioned on Reddit as well, and I've been trying to figure out what's going on. Here's my thoughts so far:

  • From my understanding of modern .NET, by default the majority of a program's code now resides inside the DLL instead of the executable. So the program won't run without the DLL present.
  • Looking up "Wacatac.B!ml" indicates that it's a common false positive, plus the "!ml" suffix apparently indicates that this detection is the result of machine learning, with all the limitations and caveats that implies.
  • Both IPs belong to Microsoft themselves, with 13.107.4.52 being www.msftconnecttest.com, an internet connection test used by Windows 10 and 11.
  • My best guess for 20.99.132.105 is that it's an endpoint for Windows' Error Reporting service, as the C2AE behavior description indicates processes belonging or being related to WER, such as WerFault or wmiadap.

So, my conclusion for now:

  • Microsoft Defender scans the DLL and, based on machine learning, misdetects it as malware.
  • StoicGoose crashes on your and/or VirusTotal's end for some reason, be it the deleted DLL file or some other incompatibility.
  • The crash causes Windows to run its Error Reporting service on the application.
  • Error reporting reads the registry, creates and deletes temporary files (see also ex. the Microsoft Sysinternals output under Behaviors on VirusTotal), etc.
  • It then checks if an internet connection exists (13.107.4.52) and then sends the results to Microsoft (20.99.132.105?).

I do not know what to do about this. I have no networking code in the emulator, it only reads/writes its own directory and the StoicGoose folder in your Documents directory, etc.

It seems like code signing would be a way around these issues, but such a certificate costs money. I could also create a self-signed certificate myself, and while I highly doubt that would solve this - because there's no trust in one since anyone can make one - I'll try look into this in more detail.

xdanieldzd avatar Jun 06 '22 21:06 xdanieldzd

Think this has been fixed in the latest update

Natsuki-Lucy-Marx avatar Aug 10 '22 12:08 Natsuki-Lucy-Marx