Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
In general, information of that "analysis" should be taken with care, e.g.
"Ransomware The analysis extracted file with a known ransomware suffix"
This is based on the file "filetypes.abc" which is included in the Geany distribution. But a "Risk Assessment" based on filename extensions seems not very serious to me.
Later, on the network section they say "This report was generated with enabled TOR analysis". So route potential harmful traffic through the TOR network to save themselves from the trouble. If I myself try to open hybrid-analysis.com through the TOR network, I'm presented with a CloudFlare captcha because CloudFlare likes to assume all TOR users are bots or criminals. In my opinion, Hybrid Analysis behaves paradox here: CloudFlare arguments their captchas with unwanted traffic they see from the TOR network but Hybrid Analysis potentially generates this unwanted traffic.
Regards, Enrico