Payload Dumpers and Security (HIGH RISK)

[djcrystals]

I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

I highly suggest if you have been using these, you remove them and scrubb your machine.

 

[Lossyx]

The first dumper is literally open source, just use the go files lol

 

[djcrystals]

The first dumper is literally open source, just use the go files lol

I understand. Just because a file originates open source doesn't mean it can't be tampered with. I have a paydumper go file I downloaded last year that checks out, it's clean. What I obtained from both those sites today, did not check out.

 

[BobbyHoggatt]

The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!

 

[djcrystals]

The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!

It did. There were never problems with either of those files in the past. I recently had to redownload the files because I thought I had deleted my original which I obtained late last year. The 1st one I downloaded was the one from Mega and it immediately had a hit when I tried to run it. I blow these things off all the time because there are so many false positives but I have had extensive training these last few weeks with my company's IT department in regards to the influx of malicious software. The Microsoft Exchange hack is wreaking havoc on companies like mine, which is Dupont. Hackers have been able to gain access to proprietary information on a scale that is unfathomable. I expected this reaction from the thread and that's understandable. I am telling you though, I spent several hours with both of these files. They both exhibited behavior that was not relative to its intended purpose. I forwarded both files to our IT's Security Analyst and he said it's not a false positive...for either. He didn't have time to perform any further analysis to see where and when it may have been tampered with. I don't think he gives a **** about rooting his phone or the XDA. I honestly don't think he gives a **** about life either but that's besides the point.

I don't think the creator(s) of the original file are at fault. I was able to dig up an older Payload Dumper and it was fine......newer downloads are not. I'm not trying to cause a stink or start an argument or anything. I would hope that if anyone else noticed something of this nature that they too would bring it to the community's attention.

I don't really have anything else to say about it. I wouldn't have wasted my time messing with any of this crap today if I didn't think it was important. Anything's possible. Take it or leave it.

 

[djcrystals]

For example.... https://arstechnica.com/gadgets/202...tole-credentials-escaped-notice-for-3-months/

 

[dlads]

I have been messing with these Payload Dumper execution files and have found them to be malicious, non-false positive. I have a highly secure position at a chemical company and our computer security apparatus has been dialed-up a notch, rightly so. I had previously found these executables to be quite handy but when messing with them today, after having not used it in awhile, I found them to have some suspicious behavior. My computer has recently undergone some upgrades in the security department and I'd like to share with the community what I have found. I'm sure many of you use these on a regular basis. I am posting the results from two popular locations from which these files are received.

The 1st: https://github.com/ssut/payload-dumper-go/releases (payload-dumper-go.exe)
Result: https://www.virustotal.com/gui/file...87757940e9eed41428a9388dc05b25f04d7/detection

The 2nd: https://mega.nz/folder/vU00FZDa#PIEfjl5w5wonyNAwHW3FBQ (payload-dumper.exe)
Result: https://www.virustotal.com/gui/file...cd8a7dd5067bd1384b074b121da5bc244bb/detection

I can't share what the anti-virus program on my computer came up with as it has some proprietary information sprinkled throughout but it's along the same lines as what is discussed on the links I shared. For example....in both instances the registry of the computer being used is being altered in ways that is absolutely meant for disingenuous motives.

I highly suggest if you have been using these, you remove them and scrubb your machine.

I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.

 

[djcrystals]

I've worked for several top global firms and all their security does not like programs that can alter or extract information like what payload dumper can, similarly they don't like docx files yet are happy for zip's (password protected) containing very malicious files to pop through their security, I cannot vouch for all locations where you can obtain payload dumper but the one I use is not malicious.

The nature of the program is the problem, again I can't vouch for all of them, the GitHub one should be ok though.

I've got some more then adequate scanners here. I'll see if anything pops up, but I'm sceptical it'll find anything, also hoping it doesn't, but will share here if it does.

I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.

 

[dlads]

I appreciate someone else showing some interest in this. Trust me, I shared your skepticism initially. That's why I spent some much time verifying my initial results before posting anything about it. Ultimately, the biggest red flag for me was coming from the security software my IT department has recently installed on our systems. Without going into too much detail it allows you to run an exe in a mock VM of your current environment. The results from both of those runs were surprisingly different, even though they should have the same exact objective. The Dumpers, in both instances, went well beyond their realm of file expansion (understatement).

My IT friend said this morning there's always the possibility the file/process was corrupted after downloading it, one of the least likely scenarios but still a possibility....which just lead me to conjure up a million more questions for him. Needless to say, I won't be using that laptop again until after he takes a look at it.

I worked for the IT dept at those companies i mentioned and the vast majority of these flags were indeed not malicious, but it was the very nature of the potential intent that these programs could be used for.

Sort of like a piece of wire being compared to a garotte, it's obviously just a piece of wire but the potential is still there and virus scanners normally have a field day.

Like I said, pop it in a zip file and the same scanners will do nothing, try some docx files, especially over email; McAfee had a meltdown lol. It's funny to me but irritating to the end user.

Also was helping a neighbour move over a tonne of soil and concrete today so I didn't have a chance to do any scanning, but judging by how my body feels now I think tomorrow I should be ok to certainly won't be moving much tomorrow, I'm broken.

What are they using to scan btw? Is this the virus sweep program they're running or the actual antivirus? Or on demand scanners?

 

[djcrystals]

I worked for the IT dept at those companies i mentioned and the vast majority of these flags were indeed not malicious, but it was the very nature of the potential intent that these programs could be used for.

Sort of like a piece of wire being compared to a garotte, it's obviously just a piece of wire but the potential is still there and virus scanners normally have a field day.

Like I said, pop it in a zip file and the same scanners will do nothing, try some docx files, especially over email; McAfee had a meltdown lol. It's funny to me but irritating to the end user.

Also was helping a neighbour move over a tonne of soil and concrete today so I didn't have a chance to do any scanning, but judging by how my body feels now I think tomorrow I should be ok to certainly won't be moving much tomorrow, I'm broken.

What are they using to scan btw? Is this the virus sweep program they're running or the actual antivirus? Or on demand scanners?

We had been using McAfee since I started, in 2011....switched to Eset. It is either a slow roll-out or a trial....I'm not sure. Anyone that's received any type of major software upgrade or hardware upgrade has had the antivirus switched as well. The VM exe mock-up is my favorite thing though. That's separate from the antivirus software. It's just a tool we can download and use to test things we'd like to install that aren't in the software bank. This is where the alterations were picked up. Either file had different alterations. The one from Mega attempted to alter inbound/outbound rules for the firewall. I re-downloaded the one from github using my laptop running Kubuntu, transferred the file to my GDrive and ran the scan on it again. This time it came up clean. The Mega file continued to come up with malicious behavior. Needless to say I'm just not going to use my work computer again until my buddy looks at it Monday. I wasted way too much time messing with this. It was interesting at first but now I'm just annoyed....lol...because I wasted so much time.
Thank you for engaging me on this. I appreciate you taking time to look at it too.

 

[dlads]

We had been using McAfee since I started, in 2011....switched to Eset. It is either a slow roll-out or a trial....I'm not sure. Anyone that's received any type of major software upgrade or hardware upgrade has had the antivirus switched as well. The VM exe mock-up is my favorite thing though. That's separate from the antivirus software. It's just a tool we can download and use to test things we'd like to install that aren't in the software bank. This is where the alterations were picked up. Either file had different alterations. The one from Mega attempted to alter inbound/outbound rules for the firewall. I re-downloaded the one from github using my laptop running Kubuntu, transferred the file to my GDrive and ran the scan on it again. This time it came up clean. The Mega file continued to come up with malicious behavior. Needless to say I'm just not going to use my work computer again until my buddy looks at it Monday. I wasted way too much time messing with this. It was interesting at first but now I'm just annoyed....lol...because I wasted so much time.
Thank you for engaging me on this. I appreciate you taking time to look at it too.

That's quite unusual for a company to allow that, it's great lol.

As with the mega file, how have you downloaded it? As a zip or a standard? Try to get the files as just the raw payload dumper exe and folders.

My browser blocks the downloading from mega sometimes when I choose standard download instead of zip

 

[djcrystals]

That's quite unusual for a company to allow that, it's great lol.

As with the mega file, how have you downloaded it? As a zip or a standard? Try to get the files as just the raw payload dumper exe and folders.

My browser blocks the downloading from mega sometimes when I choose standard download instead of zip

Raw, no zip. Is there an antivirus that you're aware of that excels in weeding out false-positives? Doing a search on something like that is a waste of time. You get bombarded with suspect information.

My IT buddy looked at the a little more. Ha said the Github file was fine but be said the Mega folder I sent him attempted to trigger a crypto-miner malware install. He said the file had been altered from its original state. He hasn't responded with details yet. He just said it looks to have been recent and poorly done. I'll let you know if he says anything else.

 

[dlads]

Raw, no zip. Is there an antivirus that you're aware of that excels in weeding out false-positives? Doing a search on something like that is a waste of time. You get bombarded with suspect information.

My IT buddy looked at the a little more. Ha said the Github file was fine but be said the Mega folder I sent him attempted to trigger a crypto-miner malware install. He said the file had been altered from its original state. He hasn't responded with details yet. He just said it looks to have been recent and poorly done. I'll let you know if he says anything else.

Trend micro has a virus identifier which has been pretty good.

Malwarebytes (on demand not AV) had always grabbed things.

But for false positives, they're not really false. The nature of the application if identified to be able to modify something else in a particular way should really be flagged, most the time they're harmless but I think I'd rather know that not know.

Once you think it's safe just mark it as such, you could rely on other peoples experience but I'd like to decide myself.

I've been away from that particular part of the job for a while but you can get scanners that work pre OS which are a lot more reliable but for singular files I used to use some software and I cannot for the life of me remember the name of it. I've got it on a stick somewhere, I'll have a look for it, but it's superb and hasn't let me down

 

[hellcat50]

I am using the 2nd payload dumper. But since it's not running as administrator I guess if anything It can only wreak havoc on the current user profile. And since I am using a strict firewall, it cannot connect to the internet either. In addition to that I usually use sandboxie on Windows to sandbox those applications.

 

[djcrystals]

Trend micro has a virus identifier which has been pretty good.

Malwarebytes (on demand not AV) had always grabbed things.

But for false positives, they're not really false. The nature of the application if identified to be able to modify something else in a particular way should really be flagged, most the time they're harmless but I think I'd rather know that not know.

Once you think it's safe just mark it as such, you could rely on other peoples experience but I'd like to decide myself.

I've been away from that particular part of the job for a while but you can get scanners that work pre OS which are a lot more reliable but for singular files I used to use some software and I cannot for the life of me remember the name of it. I've got it on a stick somewhere, I'll have a look for it, but it's superb and hasn't let me down

I think that was the idea behind having access to the mock up exe VM environment. I guess the thinking behind giving us access to it is it allowed us to take it one step further. The antivirus gives you a result of what it could do....then we use that and this is what it will do....IT Security was my 3rd choice in life. I went for Meteorology...ended up working in the chemical industry and made my way from there....there was once a fork in the road once, where someone offered me an inroad to a life changing entry level IT Security job and I was in the midst of the interview process for DuPont. We had all the certificates worked out that id require to get in and everything. It was a tough choice. I made the right decision, I think.
Was that software you're talking about Farbar?

 

[brashmadcap]

"I have a highly secure position at a chemical company"

I sincerely hope it's not in the IT department

All of these "positives" are generics, probably AI detecting the executable as malicious because by its nature it is designed to unpack intercepted firmware updates. This is exactly the kind of thing that sophisticated (eg supply chain attack/nation-state-backed) malware would do.

Plus the heuristics of the name "payload" and "dump[er]" very likely trigger more vigilant/deep inspection

 

[djcrystals]

"I have a highly secure position at a chemical company"

I sincerely hope it's not in the IT department

All of these "positives" are generics, probably AI detecting the executable as malicious because by its nature it is designed to unpack intercepted firmware updates. This is exactly the kind of thing that sophisticated (eg supply chain attack/nation-state-backed) malware would do.

Plus the heuristics of the name "payload" and "dump[er]" very likely trigger more vigilant/deep inspection

My position is not in the IT department. Don't troll me for bringing up a valid security concern for the community as a whole. If you had read through the thread you'd see what was researched at and what @dladz and I discussed. I had a verified reason for raising suspicion. Condescension is the weakest form of expression on XDA. Please don't disrespect me or anyone else. It makes this place miserable. It's why I hate posting here. Ridiculous.

 

[BobbyHoggatt]

Hey I can certainly respect you raising your concerns, its made me double check my stuff. That being said have you raised your concern with XDA or any other developer site? If so what was the reply? I would appreciate if you would let me know and again thanks for bringing this matter up!

 

[djcrystals]

Hey I can certainly respect you raising your concerns, its made me double check my stuff. That being said have you raised your concern with XDA or any other developer site? If so what was the reply? I would appreciate if you would let me know and again thanks for bringing this matter up!

My computer is being looked at by IT. I'll be sure to update on any findings.

 

[oneszero]

The only reason I like XDA is the open source policy. I'm pretty sure there's nothing malicious with the payload dumper if you downloaded it from this site.. anytime you have files that can manipulate operating systems would throw up red flags with your antivirus.. So I say relax my Friend!

most of the time it is returning a false positive.