IntuneWin32Deployer icon indicating copy to clipboard operation
IntuneWin32Deployer copied to clipboard
verified publisher icon FlorianSLZ

Possible Keylogger Indicated by Falcon Sandbox

Open amandarino-tei opened this issue 1 year ago • 1 comments

Falcon Sandbox indicates a possible keylogger http://www.hybrid-analysis.com/sample/6b3bca249c7e8b8b8daddf4b7f6bf250a1274b0ce4e05ac156592ce9b7339ea6/66e09b02b26e9228260f9ad2

amandarino-tei avatar Sep 10 '24 19:09 amandarino-tei

@amandarino-tei You may want to investigate the detection it a little more before submitting an issue

From the link you provided. details "sample.bin" contains indicator "[ENTER]" (Line: 64; Offset: 17)

Line 64 of the file "INSTALL_IntuneWin32Deployer.ps1" which hybrid-analysis refers to as sample.bin Read-Host "Press [Enter] to close"

So very much a false positive, especially given"[Enter]" is a only one indicator and a weak indicator on its own.

Maintainer should close this issue and likely related issue #23 as without more context it appears to be the same false positive.

mechanysm avatar Oct 30 '24 05:10 mechanysm