this post was submitted on 13 Aug 2025
14 points (93.8% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

63502 readers
844 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

🏴‍☠️ Other communities

FUCK ADOBE!

Torrenting/P2P:

Gaming:

💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com
Andromxda@lemmy.dbzer0.com
CosmicTurtle0@lemmy.dbzer0.com
tenchiken@lemmy.dbzer0.com
14
Are these two rar files malware? (virustotal results) (lemmy.dbzer0.com)
submitted 2 days ago* (last edited 2 days ago) by Yourname942@lemmy.dbzer0.com to c/piracy@lemmy.dbzer0.com
9 comments fedilink hide all child comments
 

Does anyone know if these two files are considered malware? I see a lot of things in the behavior tab that seem suspicious (but then again, I have no idea, and am relatively new/dumb).

Here are the images of the virustotal results I am referring to:

Also, I did see there was an noticeable slowness to my pc after I extracted the rar files (I was in a VM).

Thank you.

top 9 comments
sorted by: hot top controversial new old
[–] treasure@feddit.org 22 points 1 day ago

TLDR: I can't say for 100% sure, but there are multiple reasons to believe that this is malware.

Long version: I'm seeing multiple suspicious things here.

  • The IPs being connected to are part of some hoster and have some abuse reports: https://www.abuseipdb.com/check-block/217.20.58.98/29

  • The domain being resolved is qcloud[.]com, which belongs to Tencent Cloud and definitely not Microsoft.

  • Other domains in memory like counter-strike[.]com[.]ua are very new and definitely sound fishy.

  • A standalone version of 7zip is being run and extracts the created rar file with the password "infected". Real alarm bells here.

  • A lot of the registry actions look like anti-debugging, which does not sound like something an Illustrator Plugin would do.

[–] CrackedLinuxISO@lemmy.dbzer0.com 10 points 1 day ago

Malware or not, remember to update WinRAR

https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/

[–] MangoPenguin@lemmy.blahaj.zone 6 points 1 day ago (1 children)

There are some suspicious things going on like the qcloud and counter-strike domains, as well as the 7zip extract being run.

I would probably get rid of it.

[–] Yourname942@lemmy.dbzer0.com 1 points 1 day ago* (last edited 1 day ago) (1 children)

I installed 7zip if that made it appear (not sure if it is the case though) Yeah I may have to just pay for subscriptions with money I can't afford :S

[–] MangoPenguin@lemmy.blahaj.zone 1 points 1 day ago

I suppose you can probably do most things without the plugins too, just more time intensive

[–] frongt@lemmy.zip 3 points 1 day ago (1 children)

Unlikely for the rar file itself. The exe seems a little suspicious, so I would scan that file individually. Hard to say without unpacking and examining it.

[–] Yourname942@lemmy.dbzer0.com 1 points 1 day ago* (last edited 1 day ago) (2 children)

Should I have scanned the extracted folders rather than the rar file itself? (even though it shows network communications and mitre signatures?)

I ran an antivirus outside the VM and nothing was detected luckily. (I had already extracted the rar files, but just scanned the rar itself)

[–] frongt@lemmy.zip 4 points 1 day ago

Yes, scan the potential malware directly (exe, dll files). Not all scanners support extracting archives.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 1 day ago

No it's fine, clearly it did extract the rar file and run everything.