Malware analysis: arx-libertatis-1.2.1-windows.exe
NCC Group — Isaac Dawson, L2 Security Analyst (15/05/2024)
Synopsis
An investigation into [arx-libertatis-1.2.1-windows.exe] and how online malware scanners aren’t always right.
Background
About a year ago, my brother was talking to me on Discord about a video game called Arx Fatalis. It’s from 2002 and looks pretty dated, but he explained that it’s the first-ever Arcane Studios game, they’re responsible for games like Dishonoured, Prey, Deathloop and more recently Redfall. He describes Arx Fatalis as a fantasy RPG, like a knockoff Elder Scrolls but on a smaller scale. The game was well received and allowed Arcane Studios to become who they are today.
Due to its age, the game is very buggy and doesn’t run too well on modern hardware, however, the game does have a dedicated player base who managed to create an open-source overhaul mod called Arx Liberatis. This overhaul mod fixes most of the bugs and makes the game run smoothly on any Windows or Linux device. My brother was trying to download the Liberatis mod from the official website but was stopped by Chrome because it identified the binary as malware. Let’s investigate…
File Information
File name: arx-libertatis-1.2.1-windows.exe
File size: 9.24 MB
File type: Application (.exe)
SHA256: 54DEB2C3D839FD8227BE977278AB0DCFAEC3028EEA8FBDBD57FF2408649895CB
SHA1: 41386CF58CEE0D954970382496A228A8228C27F7
MD5: 539CD327B673A0B80DDB2EC2F91111E8
Investiagtion
I stopped my brother from continuing with the file and told him to allow me to investigate. I started with the file hash and dropped it in VirusTotal, it was flagged by 15 individual security vendors as a malicious trojan. I checked the community tab to see what people were saying, there was a comment by NodenGaming who said they created a 30-minute video about why this is a false positive and that we shouldn’t trust the AI malware scanners on VirusTotal.
In the video, Noden explains that the above installer will spawn two executables, [arx.exe] and [arx-portable.exe]. These binaries are reading your CPU’s architecture to check if you’re using x86 or x64.
I booted up a sandbox with ProcMon installed and applied a malware analysis filter. Then I executed [arx-libertatis-1.2.1-windows.exe] and it generated [arx.exe] which I executed next. After a short while, I stopped the capture and followed the process trace, I saw that [C:\Windows\SysWOW64\ntdll.dll] and [C:\Windows\System32\ntdll.dll] were being queried. This is the Windows NT Layer DLL and is used for various functions related to the Windows Kernel. I believe the [SysWOW64] version of [ntdll.dll] was responsible for reading CPU architecture as the Windows API called the [IsWow64Process] function, this created a process handle that provided an x86 or x64 response.
As for the rest of the process tree, there’s nothing else exciting to discuss. There’s no evidence of defense evasion, ransomware activity, or exfiltration.
Conclusion
I already know the file is benign. It’s an open-source project and has been around since 2013. I find it interesting that malware scanners are flagging it as malicious and I wanted to dive into why. I think an unsigned process spawning multiple executables and reading the Windows Kernal by calling process handles is a bit suspicious — when written out like that it’s obvious why it was flagged.
Why this is important
As a Security Analyst, I rely on OSINT tools like VirusTotal to give a definitive answer to “Is this file bad?”. This investigation has reminded me that malware scanners are simply pattern-recognition utilities. Maybe this will change with the introduction of AI in EDR tools, we’re already starting to see fewer false positives with a Copilot-infused Defender.
I think what separates a good analyst from a great analyst is a Zero Trust mentality — basically “never trust, always verify”. Traditionally, I would simply trust VirusTotal and isolate the machine due to active malware, however, I’ve taken the time to verify the software and it turned out to be nothing. Hopefully, you’ve all learned something, whether it was about old computer games or how you shouldn’t always trust your favorite OSINT tool — take it with a pinch of salt.
