Payload Dumpers and Security (HIGH RISK)

Search This thread

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

I highly suggest if you have been using these, you remove them and scrubb your machine.
 
  • Like
Reactions: wesker81

BobbyHoggatt

Member
Feb 14, 2021
10
3
38
Grants pass or
OnePlus 8 Pro
The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!
 
  • Like
Reactions: djcrystals

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!
It did. There were never problems with either of those files in the past. I recently had to redownload the files because I thought I had deleted my original which I obtained late last year. The 1st one I downloaded was the one from Mega and it immediately had a hit when I tried to run it. I blow these things off all the time because there are so many false positives but I have had extensive training these last few weeks with my company's IT department in regards to the influx of malicious software. The Microsoft Exchange hack is wreaking havoc on companies like mine, which is Dupont. Hackers have been able to gain access to proprietary information on a scale that is unfathomable. I expected this reaction from the thread and that's understandable. I am telling you though, I spent several hours with both of these files. They both exhibited behavior that was not relative to its intended purpose. I forwarded both files to our IT's Security Analyst and he said it's not a false positive...for either. He didn't have time to perform any further analysis to see where and when it may have been tampered with. I don't think he gives a **** about rooting his phone or the XDA. I honestly don't think he gives a **** about life either but that's besides the point.

I don't think the creator(s) of the original file are at fault. I was able to dig up an older Payload Dumper and it was fine......newer downloads are not. I'm not trying to cause a stink or start an argument or anything. I would hope that if anyone else noticed something of this nature that they too would bring it to the community's attention.

I don't really have anything else to say about it. I wouldn't have wasted my time messing with any of this crap today if I didn't think it was important. Anything's possible. Take it or leave it.
 

dladz

Senior Member
Aug 24, 2010
12,261
3,604
Liverpool
I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

I highly suggest if you have been using these, you remove them and scrubb your machine.

I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.
 
Last edited:

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.
I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.
 
  • Like
Reactions: dladz

dladz

Senior Member
Aug 24, 2010
12,261
3,604
Liverpool
I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.

I worked for the IT dept at those companies i mentioned and the vast majority of these flags were indeed not malicious, but it was the very nature of the potential intent that these programs could be used for.

Sort of like a piece of wire being compared to a garotte, it's obviously just a piece of wire but the potential is still there and virus scanners normally have a field day.

Like I said, pop it in a zip file and the same scanners will do nothing, try some docx files, especially over email; McAfee had a meltdown lol. It's funny to me but irritating to the end user.

Also was helping a neighbour move over a tonne of soil and concrete today so I didn't have a chance to do any scanning, but judging by how my body feels now I think tomorrow I should be ok to :D certainly won't be moving much tomorrow, I'm broken.

What are they using to scan btw? Is this the virus sweep program they're running or the actual antivirus? Or on demand scanners?
 
  • Like
Reactions: djcrystals

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
I worked for the IT dept at those companies i mentioned and the vast majority of these flags were indeed not malicious, but it was the very nature of the potential intent that these programs could be used for.

Sort of like a piece of wire being compared to a garotte, it's obviously just a piece of wire but the potential is still there and virus scanners normally have a field day.

Like I said, pop it in a zip file and the same scanners will do nothing, try some docx files, especially over email; McAfee had a meltdown lol. It's funny to me but irritating to the end user.

Also was helping a neighbour move over a tonne of soil and concrete today so I didn't have a chance to do any scanning, but judging by how my body feels now I think tomorrow I should be ok to :D certainly won't be moving much tomorrow, I'm broken.

What are they using to scan btw? Is this the virus sweep program they're running or the actual antivirus? Or on demand scanners?
We had been using McAfee since I started, in 2011....switched to Eset. It is either a slow roll-out or a trial....I'm not sure. Anyone that's received any type of major software upgrade or hardware upgrade has had the antivirus switched as well. The VM exe mock-up is my favorite thing though. That's separate from the antivirus software. It's just a tool we can download and use to test things we'd like to install that aren't in the software bank. This is where the alterations were picked up. Either file had different alterations. The one from Mega attempted to alter inbound/outbound rules for the firewall. I re-downloaded the one from github using my laptop running Kubuntu, transferred the file to my GDrive and ran the scan on it again. This time it came up clean. The Mega file continued to come up with malicious behavior. Needless to say I'm just not going to use my work computer again until my buddy looks at it Monday. I wasted way too much time messing with this. It was interesting at first but now I'm just annoyed....lol...because I wasted so much time.
Thank you for engaging me on this. I appreciate you taking time to look at it too.
 
  • Like
Reactions: dladz

dladz

Senior Member
Aug 24, 2010
12,261
3,604
Liverpool
We had been using McAfee since I started, in 2011....switched to Eset. It is either a slow roll-out or a trial....I'm not sure. Anyone that's received any type of major software upgrade or hardware upgrade has had the antivirus switched as well. The VM exe mock-up is my favorite thing though. That's separate from the antivirus software. It's just a tool we can download and use to test things we'd like to install that aren't in the software bank. This is where the alterations were picked up. Either file had different alterations. The one from Mega attempted to alter inbound/outbound rules for the firewall. I re-downloaded the one from github using my laptop running Kubuntu, transferred the file to my GDrive and ran the scan on it again. This time it came up clean. The Mega file continued to come up with malicious behavior. Needless to say I'm just not going to use my work computer again until my buddy looks at it Monday. I wasted way too much time messing with this. It was interesting at first but now I'm just annoyed....lol...because I wasted so much time.
Thank you for engaging me on this. I appreciate you taking time to look at it too.

That's quite unusual for a company to allow that, it's great lol.

As with the mega file, how have you downloaded it? As a zip or a standard? Try to get the files as just the raw payload dumper exe and folders.

My browser blocks the downloading from mega sometimes when I choose standard download instead of zip
 

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
That's quite unusual for a company to allow that, it's great lol.

As with the mega file, how have you downloaded it? As a zip or a standard? Try to get the files as just the raw payload dumper exe and folders.

My browser blocks the downloading from mega sometimes when I choose standard download instead of zip
Raw, no zip. Is there an antivirus that you're aware of that excels in weeding out false-positives? Doing a search on something like that is a waste of time. You get bombarded with suspect information.

My IT buddy looked at the a little more. Ha said the Github file was fine but be said the Mega folder I sent him attempted to trigger a crypto-miner malware install. He said the file had been altered from its original state. He hasn't responded with details yet. He just said it looks to have been recent and poorly done. I'll let you know if he says anything else.
 
Last edited:

dladz

Senior Member
Aug 24, 2010
12,261
3,604
Liverpool
Raw, no zip. Is there an antivirus that you're aware of that excels in weeding out false-positives? Doing a search on something like that is a waste of time. You get bombarded with suspect information.

My IT buddy looked at the a little more. Ha said the Github file was fine but be said the Mega folder I sent him attempted to trigger a crypto-miner malware install. He said the file had been altered from its original state. He hasn't responded with details yet. He just said it looks to have been recent and poorly done. I'll let you know if he says anything else.

Trend micro has a virus identifier which has been pretty good.

Malwarebytes (on demand not AV) had always grabbed things.

But for false positives, they're not really false. The nature of the application if identified to be able to modify something else in a particular way should really be flagged, most the time they're harmless but I think I'd rather know that not know.

Once you think it's safe just mark it as such, you could rely on other peoples experience but I'd like to decide myself.

I've been away from that particular part of the job for a while but you can get scanners that work pre OS which are a lot more reliable but for singular files I used to use some software and I cannot for the life of me remember the name of it. I've got it on a stick somewhere, I'll have a look for it, but it's superb and hasn't let me down
 
Last edited:
  • Like
Reactions: djcrystals

hellcat50

Senior Member
Jun 29, 2014
999
496
I am using the 2nd payload dumper. But since it's not running as administrator I guess if anything It can only wreak havoc on the current user profile. And since I am using a strict firewall, it cannot connect to the internet either. In addition to that I usually use sandboxie on Windows to sandbox those applications.
 

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
Trend micro has a virus identifier which has been pretty good.

Malwarebytes (on demand not AV) had always grabbed things.

But for false positives, they're not really false. The nature of the application if identified to be able to modify something else in a particular way should really be flagged, most the time they're harmless but I think I'd rather know that not know.

Once you think it's safe just mark it as such, you could rely on other peoples experience but I'd like to decide myself.

I've been away from that particular part of the job for a while but you can get scanners that work pre OS which are a lot more reliable but for singular files I used to use some software and I cannot for the life of me remember the name of it. I've got it on a stick somewhere, I'll have a look for it, but it's superb and hasn't let me down
I think that was the idea behind having access to the mock up exe VM environment. I guess the thinking behind giving us access to it is it allowed us to take it one step further. The antivirus gives you a result of what it could do....then we use that and this is what it will do....IT Security was my 3rd choice in life. I went for Meteorology...ended up working in the chemical industry and made my way from there....there was once a fork in the road once, where someone offered me an inroad to a life changing entry level IT Security job and I was in the midst of the interview process for DuPont. We had all the certificates worked out that id require to get in and everything. It was a tough choice. I made the right decision, I think.
Was that software you're talking about Farbar?
 
  • Like
Reactions: dladz

brashmadcap

Senior Member
May 22, 2010
464
159
Texas
"I have a highly secure position at a chemical company"

I sincerely hope it's not in the IT department

All of these "positives" are generics, probably AI detecting the executable as malicious because by its nature it is designed to unpack intercepted firmware updates. This is exactly the kind of thing that sophisticated (eg supply chain attack/nation-state-backed) malware would do.

Plus the heuristics of the name "payload" and "dump[er]" very likely trigger more vigilant/deep inspection
 

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
"I have a highly secure position at a chemical company"

I sincerely hope it's not in the IT department

All of these "positives" are generics, probably AI detecting the executable as malicious because by its nature it is designed to unpack intercepted firmware updates. This is exactly the kind of thing that sophisticated (eg supply chain attack/nation-state-backed) malware would do.

Plus the heuristics of the name "payload" and "dump[er]" very likely trigger more vigilant/deep inspection
My position is not in the IT department. Don't troll me for bringing up a valid security concern for the community as a whole. If you had read through the thread you'd see what was researched at and what @dladz and I discussed. I had a verified reason for raising suspicion. Condescension is the weakest form of expression on XDA. Please don't disrespect me or anyone else. It makes this place miserable. It's why I hate posting here. Ridiculous.
 

djcrystals

Senior Member
Nov 29, 2011
399
139
City Of Tonawanda
Hey I can certainly respect you raising your concerns, its made me double check my stuff. That being said have you raised your concern with XDA or any other developer site? If so what was the reply? I would appreciate if you would let me know and again thanks for bringing this matter up!
My computer is being looked at by IT. I'll be sure to update on any findings.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

    The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
    Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

    The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
    Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

    I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

    I highly suggest if you have been using these, you remove them and scrubb your machine.

    I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

    The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

    I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.
    1
    I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

    The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
    Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

    The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
    Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

    I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

    I highly suggest if you have been using these, you remove them and scrubb your machine.
    1
    The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!
    1
    I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

    The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

    I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.
    I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

    My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.
    1
    I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

    My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.

    I worked for the IT dept at those companies i mentioned and the vast majority of these flags were indeed not malicious, but it was the very nature of the potential intent that these programs could be used for.

    Sort of like a piece of wire being compared to a garotte, it's obviously just a piece of wire but the potential is still there and virus scanners normally have a field day.

    Like I said, pop it in a zip file and the same scanners will do nothing, try some docx files, especially over email; McAfee had a meltdown lol. It's funny to me but irritating to the end user.

    Also was helping a neighbour move over a tonne of soil and concrete today so I didn't have a chance to do any scanning, but judging by how my body feels now I think tomorrow I should be ok to :D certainly won't be moving much tomorrow, I'm broken.

    What are they using to scan btw? Is this the virus sweep program they're running or the actual antivirus? Or on demand scanners?
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone