Malware detected? :: Marvel Rivals General Discussions

Store Page

Marvel Rivals

All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Marvel Rivals > General Discussions > Topic Details

BanCee

Dec 5, 2024 @ 5:28pm

Malware detected?

I went to install the game and avast flagged a file with Win64:Malware-gen. It says the source is from client_diagnose.exe. Is it a false-positve?

< >

Showing 1-10 of 10 comments

HornetTrooper has Marvel Rivals

Dec 5, 2024 @ 5:30pm

I had the same instance, have the same question :(

jwcmike

Dec 5, 2024 @ 5:37pm

Same as above. Having trouble finding any information on it. Thus far I found this post, but I dont think it is the same thing and it is from July 2024. However, I find it troubling that the staff confirmed the block.

https://forums.malwarebytes.com/topic/314978-is-this-false-marvel-rivals/

BanCee

Dec 5, 2024 @ 5:40pm

I found this on reddit, IDK if it helps the situation. https://www.reddit.com/r/marvelrivals/comments/1h7o31x/avast_doesnt_like_marvel_rivals/

Goodnight Mr. has Marvel Rivals

Dec 20, 2024 @ 7:58pm

Cyber Guy here! I'm checking this executable out and running it under several scanners. I've submitted the hash so if it is a false positive, your AVs will download the signatures and stop this from being a false positive. My AV(Symantec) did pop this as (Win64:Malware-gen) which was pretty vague. I observed that this file prevented steam from downloading the game with a error about (File Permissions). As soon as I recovered the file "client_diagnosis.exe" it resumed.

I'll report back if this is legit or a false positive once it has been probed in a few sandboxes.

=================20DEC24/UTC 21DEC24@03:52AM==============

The file is located in the following locations: C:\SteamLibrary\steamapps\downloading\2767030\client_diagnose.exe

The File Size:
15.79 MB

Preliminary Scan Results:
Preliminary scan indicates that 'client_diagnose.exe' triggers a Yara rule that the executable is using PyInstaller with a Python script Py2Exe and potential sideloading of Python DLL files.

This DOES NOT indicate that 'client_diagnose.exe' is a malicious file. It only states that these specific indicators that have been seen in other payloads were found in the executable. Usually I see this as a 'trojan type', however I don't know its nature yet. Will let you know soon!

MD5
e986122d43e45a02af9407b0f1168b20

SHA-1
44d47c6607614d06216399b9fc5a9cf3a250dc58

SHA-256
deff5b5a38a340732806e7f4cb69cac68742eead09c066235dbebac2e446b87a

Vhash
017076655d15551575504013z30066mz11fz

Authentihash
d8ada3e4f6bff21982f11a743b52f77fe9d278444f3e11f2edb5bd7788bdce94

Imphash
1af6c885af093afc55142c2f1761dbe8

Rich PE header hash
9cabab14c414d67fcba78fab9fe95419

SSDEEP
393216:7/m3pmqkTOVV6dQJlpF3MnG3LMaHW8p2ayc5trDWFZKH2:7KmDTOV0dQz3MGb9W8p2aycbXW

TLSH
T1C3F63346B34A0CEDF45B9537D883A41597A3BE5503BCC31786693D660ACF6806F3AFA0

File type
Win32 EXE
executable
windows
win32
pe
peexe

Magic
PE32+ executable (GUI) x86-64, for MS Windows

TrID
Win64 Executable (generic) (48.7%) Win16 NE executable (generic) (23.3%) OS/2 Executable (generic) (9.3%) Generic Win/DOS Executable (9.2%) DOS Executable Generic (9.2%)

DetectItEasy
PE64 Packer: PyInstaller Compiler: Microsoft Visual C/C++ (19.36.32826) [C] Linker: Microsoft Linker (14.36.32826) Tool: Visual Studio (2022 version 17.6)

Magika
PEBIN

File size
15.79 MB (16554440 bytes)

Creation Time
2024-12-13 16:14:25 UTC
Signature Date
2024-12-13 16:14:00 UTC
First Submission
2024-12-19 20:32:53 UTC
Last Submission
2024-12-20 17:31:20 UTC
Last Analysis
2024-12-19 20:32:53 UTC

Upon searching for the filename 'client_diagnose.exe' this link popped up from their website.

https://www.marvelrivals.com/guide/20241114/41348_1193679.html

==============UPDATE 21DEC24@19:15UTC=====================

TLDR: I do not believe the file is a Trojan or is malicious in nature although it shares the similarities of a Trojan leading to it being a False Positive to AVs.

Host Interactions:
create process on Windows
read file on Windows
create directory
query environment variable
set environment variable
get common file path
accept command line arguments
get disk information
delete directory
delete file
terminate process
write file on Windows
get file size
enumerate files on Windows

==============Summary============================
3 out of 70 Security Vendors are flagging the file as malicious BASED ONLY on
the specific actions the file takes and the tools within in. The file is reaching out to 4 IP addresses, modifying registry keys and grabbing machine data via windows APIs that are consistent with what the files intended use has indicated via their website.
I believe the files are reaching out for the assets listed below for the GUI.

Extracted Files:
Files dropped
VCRUNTIME140.dll
__init__.py
_bz2.pyd
_ctypes.pyd
_decimal.pyd
_hashlib.pyd
_lzma.pyd
_socket.pyd
_ssl.pyd
_tkinter.pyd
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-fibers-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-core-file-l2-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-crt-conio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-process-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
base_library.zip
border-accent-hover.png
border-accent.png
border-hover.png
border-invalid.png
card.png
check-accent.png
check-basic.png
check-hover.png
check-tri-accent.png
check-tri-basic.png
check-tri-hover.png
check-unsel-accent.png
check-unsel-basic.png
check-unsel-hover.png
combo-button-basic.png
combo-button-focus.png
combo-button-hover.png
dicts.dat
down.png
empty.png
forest-dark.tcl
hor-accent.png
hor-basic.png
hor-hover.png
mfc140u.dll
notebook.png
off-accent.png
off-basic.png
off-hover.png
on-accent.png
on-basic.png
on-hover.png
pharos.dll
radio-accent.png
radio-basic.png
radio-hover.png
radio-tri-accent.png
radio-tri-basic.png
radio-tri-hover.png
radio-unsel-accent.png
radio-unsel-basic.png
radio-unsel-hover.png
radio-unsel-pressed.png
rect-accent-hover.png
rect-accent.png
rect-basic.png
rect-hover.png
right.png
win32ui.pyd
xbvdmyjy
%USERPROFILE%\AppData\Local\Temp\_MEI38722
%USERPROFILE%\AppData\Local\Temp\_MEI38722\Pythonwin
%USERPROFILE%\AppData\Local\Temp\_MEI38722\Pythonwin\mfc140u.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\Pythonwin\win32ui.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\VCRUNTIME140.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_bz2.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_ctypes.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_decimal.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_hashlib.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_lzma.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_socket.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_ssl.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\_tkinter.pyd
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-console-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-datetime-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-debug-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-errorhandling-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-fibers-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-file-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-file-l1-2-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-file-l2-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-handle-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-heap-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-interlocked-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-libraryloader-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-localization-l1-2-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-memory-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-namedpipe-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-processenvironment-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-processthreads-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-processthreads-l1-1-1.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-profile-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-rtlsupport-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-string-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-synch-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-synch-l1-2-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-sysinfo-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-timezone-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-core-util-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-conio-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-convert-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-environment-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-filesystem-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-heap-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-locale-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-math-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-multibyte-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-process-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-runtime-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-stdio-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-string-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-time-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\api-ms-win-crt-utility-l1-1-0.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\base_library.zip
%USERPROFILE%\AppData\Local\Temp\_MEI38722\dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\dll\pharos.dll
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark.tcl
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\border-accent-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\border-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\border-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\border-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\border-invalid.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\card.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-tri-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-tri-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-tri-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-unsel-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-unsel-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-unsel-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\check-unsel-pressed.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\combo-button-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\combo-button-focus.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\combo-button-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\down.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\empty.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\hor-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\hor-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\hor-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\notebook.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\off-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\off-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\off-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\on-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\on-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\on-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-tri-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-tri-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-tri-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-unsel-accent.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-unsel-basic.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-unsel-hover.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\radio-unsel-pressed.png
%USERPROFILE%\AppData\Local\Temp\_MEI38722\forest-dark\rect-accent-hover.png
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\Pythonwin\mfc140u.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\Pythonwin\win32ui.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\VCRUNTIME140.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_bz2.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_ctypes.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_decimal.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_hashlib.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_lzma.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_socket.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_ssl.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\_tkinter.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-console-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-datetime-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-debug-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-fibers-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l1-2-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l2-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-handle-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-heap-l1-1-0.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI19762\api-ms-win-core-interlocked-l1-1-0.dll
C:\Users\user\AppData\Local\Temp\fxzxdw34
C:\Users\user\AppData\Local\Temp\tmpl19j950e\gen_py\__init__.py

Legal: I did not reverse engineer or deobfuscate the file per legal agreements. I analyzed it's system behavior to determine if there was any malicious intent.

Last edited by Goodnight Mr.; Dec 21, 2024 @ 11:46am

Rag Jan 11 @ 11:53am

I got a different one when trying to install. Avast said that the libxess.dll was infected with Win64:Evo-gen [Trj] as a trojan horse

Jesi

Jan 11 @ 12:03pm

Its not first nor last time Antivirus is overreacting...

I couldnt install FF14 without adding it to Windows Defender exceptions.

Last edited by Jesi; Jan 11 @ 12:04pm

Roland's 2nd has Marvel Rivals

Jan 11 @ 12:07pm

Avast has been trash for decades. There's no good reason to use it when Windows Defender has outranked it for many years now. Just uninstall that garbage and save yourself future headaches.

Kogan Jan 11 @ 12:24pm

Interesting, might want to also take a look at this article, for the small group of intelligent people in this community that aren't shills and bootlicking sheep.

https://www.fbi.gov/news/stories/chinese-government-poses-broad-and-unrelenting-threat-to-u-s-critical-infrastructure-fbi-director-says

"The overall threat from the Chinese Communist Party (CCP) is a hybrid one that involves crime, counterintelligence, and cybersecurity—and which the FBI is countering with resources from all three missional spheres, Wray said. "

"The PRC [People’s Republic of China] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist,” he said in remarks at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville. "

"The threat is partially “driven by the CCP’s aspirations to wealth and power,” Wray said, adding that China wants to “seize economic development in the areas most critical to tomorrow’s economy,” even if doing so requires theft. The Chinese government has tried to pilfer “intellectual property, technology, and research” from nearly every industry in the U.S. economy, he noted. "

"This risk isn’t new, he said. CCP-sponsored cyber actors "pre-positioned” themselves to potentially mount cyber offenses against American energy companies in 2011—targeting 23 different pipeline operators."

"Similarly, he said, during the FBI’s recent Volt Typhoon investigation, the Bureau found that the Chinese government had gained illicit access to networks within America’s “critical telecommunications, energy, water, and other infrastructure sectors.” But, he noted, the CCP has also targeted critical infrastructure organizations through more “scattershot, indiscriminate cyber campaigns” that also impact other victims—such as their Microsoft Exchange hack in 2021, which "targeted networks across a wide range of sectors.”

Last edited by Kogan; Jan 11 @ 12:24pm