I forced a refresh of the VirusTotal results. It is only being flagged by a single engine: MaxSecure, an Indian anti-virus vendor that has gone out of business.
Yeah, I'm inclined to agree. The binaries were probably built by mingw and I've seen "hello world" get flagged by virus total when built by mingw.
If it is the binary itself making those calls (and not the OS), then anyone with a little bit of reverse engineering experience should be able to prove it and post the assembly.
Edit: I was wrong about the build toolchain, they were built by visual studio, see comment below.
the virustotal report shows the output from detectiteasy in "Details" -> "Basic properties":
DetectItEasy
PE64 Compiler: Microsoft Visual C/C++ (19.14.26715) [C++] Linker: Microsoft Linker (14.00.24241) Tool: Visual Studio (2015)
this is not meant to imply anything about whether the binary is malicious or not.
This is almost certainly Windows performing certificate validation.
The "evidence" was just copy pasted from VirusTotal. In fact he forgot to copy from below the cut, which would have shown it also called out to www.microsoft.com - depending who you ask, definitely a malicious address!
VirusTotal just notes all network traffic during the time the binary executed in the sandbox. It doesn't mean it emanated from the binary.
yes, there is also a "cat" executable that is being looked at. In this case it is probably harmless, but I am not sure why they have no source for it. someone suggested it came from gvim.
A proposal in the attached issue suggests just building it from openbsd sources which is probably not the worst place to get source for tee.
This looks bad. I'm no expert though, there could be a plausible explanation here. But running it through some common tools all seem to return suspicious behavior.
Readit News
https://www.virustotal.com/gui/file/950eea4e17fa3a7e89fa2c55...
If it is the binary itself making those calls (and not the OS), then anyone with a little bit of reverse engineering experience should be able to prove it and post the assembly.
Edit: I was wrong about the build toolchain, they were built by visual studio, see comment below.
this is not meant to imply anything about whether the binary is malicious or not.
Dead Comment
https://www.whois.com/whois/23.216.147.64
This is almost certainly Windows performing certificate validation.
The "evidence" was just copy pasted from VirusTotal. In fact he forgot to copy from below the cut, which would have shown it also called out to www.microsoft.com - depending who you ask, definitely a malicious address!
VirusTotal just notes all network traffic during the time the binary executed in the sandbox. It doesn't mean it emanated from the binary.
A proposal in the attached issue suggests just building it from openbsd sources which is probably not the worst place to get source for tee.