▲ 25 r/MalwareAnalysis
u/lilith_is_dead — 12 days ago
r/MalwareAnalysis
Title: Suspicious signed executable (RobotAI.exe / ycvol.exe) – possible Discord-related malware?
I found a suspicious executable on my system and I’m trying to determine its origin and behavior.
Details:
- File name: RobotAI.exe
- Also seen as: ycvol.exe (on VirusTotal)
- Location: C:\DoscordRobot\
- Size: ~147 KB
VirusTotal Behavior Report:
https://www.virustotal.com/gui/file/29fdd994c5c62ca7e7c9f3ebeffe7a25a4d5c055ca55be2bcda70db8c3a2c634/behavior
Observations:
- The file is digitally signed with a valid signature
- Signer appears to be: “Chengdu Weisuan Technology Co., Ltd.”
- Certificate chain includes GlobalSign / DigiCert
- File name differs between local system and VT (possible renaming)
- The folder name “DoscordRobot” looks like a typo-squatted Discord directory
I did NOT intentionally install or download anything with this name.
Questions:
- Is this associated with any known malware family (stealer / loader / RAT)?
- How trustworthy is this type of digital signature in practice?
- Does this match known Discord-based infection vectors (e.g., fake tools, bots)?
- Any indicators from the behavior report that clearly classify it as malicious?
Any technical insights or reverse engineering observations would be appreciated.
u/BusyHuckleberry846 — 9 days ago
Personally, I like using Virustotal a lot. However, it has a limit on how big the content there can be scanned. Any alternatives that can not only scan bigger files but also go beyond in terms of safety and are from a trusted and safe source?
u/HighV23 — 9 days ago
▲ 23 r/MalwareAnalysis
public safety / awareness warning
Security warning to the community.
I investigated an individual operating through Odysee and Telegram who appears to be distributing malicious Android surveillance malware disguised as a “security tool.”
The investigation included:
- payment fraud behavior,
- blocked communication after payment,
- and analysis of suspicious malware-related infrastructure.
The software appears capable of:
- unauthorized device surveillance,
- credential theft,
- phishing activity,
- and ransomware-related behavior.
Reports and evidence have already been submitted to relevant platform abuse teams.
This post is intended purely as a public awareness warning to help prevent additional victims and encourage responsible reportin
u/CranberryOk2634 — 5 days ago
▲ 15 r/MalwareAnalysis
Technical Analysis of EagleSpy V6.0 (CraxsRAT Rebrand) Distributed Through Odysee and Telegram
Warning to the cybersecurity and Android community.
I recently investigated an individual operating through Odysee and Telegram who is selling a malicious Android RAT known as EagleSpy V6.0, which appears to be a rebranded version of CraxsRAT.
During the investigation:
- I was financially scammed after payment
- The seller blocked communication afterward
- The malware infrastructure was analyzed in detail
Technical analysis confirmed:
- Banking phishing overlays
- Crypto wallet credential theft
- Telegram bot exfiltration
- Remote shell execution
- Keylogging
- Camera/microphone access
- GPS tracking
- Ransomware components
- DEX packers for AV evasion
- Hidden update/backdoor mechanisms
The repository also contained evidence of real victim infrastructure and compromised device information.
The malware appears capable of targeting not only victims, but potentially even buyers/operators through embedded update systems and hidden control mechanisms.
Relevant reports have already been submitted to platform abuse teams.
Odysee channel involved:
https://odysee.com/@justicerat:e
Telegram:
@JustIcedevs
This post is intended purely as a cybersecurity awareness warning to help prevent additional victims.
If moderators require technical validation or indicators of compromise, I can provide structured analysis details privately.
u/CranberryOk2634 — 5 days ago
I've been doing reverse engineering and malware analysis for sometime now, and I noticed something frustrating: every detection tool flags isolated signals separately. One tool screams "entropy is high!" Another yells "found injection APIs!" A third matches a YARA rule. But nobody tells you if these signals actually mean your binary is malicious or just legitimate software doing normal things.
So I built Binary Atlas—a static PE analysis engine that runs 14 detectors but scores confidence instead of just screaming alerts.
Why This Matters:
Most tools have insane false positive rates on legitimate Windows utilities
Single signals (high entropy, API imports, YARA matches) are meaningless in isolation
Correlation > Isolation
How It Works (5 Steps):
Check if Windows trusts it (valid Authenticode signature) → LOW risk
Parse PE headers, sections, imports, strings, hashes
Run 14 detectors (packing, anti-analysis, persistence, shellcode, etc.)
Unified classifier deduplicates findings and weights signals
Score confidence (HIGH/MEDIUM/LOW) + generate detailed reports
What Makes It Different:
Instead of: "Found CreateRemoteThread—FLAGGED!"
Binary Atlas does:
CreateRemoteThread detected ✓ (confidence: MEDIUM—debuggers use this)
WriteProcessMemory detected ✓ (confidence: MEDIUM—could be legitimate)
Registry persistence APIs detected ✓ (confidence: MEDIUM)
Anti-debug checks in strings ✓ (confidence: MEDIUM)
Unified result: "All 4 signals pointing toward injection + persistence = HIGH confidence malware"
The 14 Detectors:
Packing analysis | Anti-analysis detection | Persistence mechanisms | DLL/COM hijacking | Shellcode patterns | Import anomalies | Resource analysis | Mutex signatures | Overlay detection | String entropy | YARA scanning | Compiler identification | Threat classification | Security headers
Static analysis only ( To be honest sandboxin the file confirms everything)
High false positives on some legitimate software
Looking for feedback on:
How to reduce false positives further?
Which detection modules would be most useful?
Any malware researchers want to contribute better YARA rules?
Checkout Github: https://github.com/bilal0x0002-sketch/Binary-Atlas/
u/Ok_Performer1647 — 11 days ago