False positive?

[bobelyk]

I think i got infected...

So far i was able to edit my scripts and compile them with no false positives.

Now i can compile my old script without false positive, but as soon as i edit it, i get Trojan:Win32/Wacatac.B!ml

whoever i send the exe gets it too, but if i create it on vmware, it doesn't trigger

i have ran windows defender fullscan and it found it as well on several files on this path

file: C:\Users\Cxm\AppData\Local\Temp\RCX6AE1.tmp

The most curious thing is that if i edit the scrip with a single '';;;;;;;;;;;;'' line before compiling it doesn't trigger windows defender,
but creating a new file with a simple sleep 10 will trigget it when attempting to compile.

Pretty sure im infected as chrome is acting weird lately, any fix?

[SOTE]

I think i got infected...
Now i can compile my old script without false positive, but as soon as i edit it, i get Trojan:Win32/Wacatac.B!ml...
whoever i send the exe gets it too...
i have ran windows defender fullscan and it found it as well on several files on this path
file: C:\Users\Cxm\AppData\Local\Temp\RCX6AE1.tmp

As you are using Windows Defender, my first suggestion is to submit your compiled executable to Microsoft. Tell them that you believe it's a false-positive (https://www.microsoft.com/en-us/wdsi/filesubmission). They will usually give you back a verdict/response within 24 hours.

You may want to refer to this post- viewtopic.php?f=17&t=62266 (Report False-Positives To Anti-Virus Companies)

The other element about this, is what your script is actually doing. If your script is performing Trojan-like behavior, then it can be why it's identified as such. So, let's be honest about what is going on, if that is actually the case. Professional antivirus researchers and companies are not stupid. There has been various previous AutoIt, AutoHotkey, etc... scripts doing malicious activity. Researchers have recovered the source code and identified exactly what those types of scripts were doing (their analysis is on the Internet by the way). So if your script is doing highly questionable activities, then yeah, you will run into issues with antivirus companies. They might identify some code or behavior that your script does, that looks similar to bad code they have seen before.

Now, if your script is not doing anything malicious, and the antivirus company is being lazy and blanket identifying the open-source AutoHotkey files (autohotkey.exe, ahk2exe.exe, etc...) from the official website or GitHub as malware then you should make sure they correct their error and poor business practices. This is also good for the AHK community, and to prevent attempts at trying to give AutoHotkey a bad reputation when it doesn't deserve such.

After you have clarified or know for sure that your script is indeed safe, you can also make an exception for it, if your antivirus software is still giving you false-positive alerts. But this is only recommended after you have fully investigated the issue and are confident about what you are doing.

chrome is acting weird lately...

This can be looked at in different ways. Is your script interacting with Chrome? If not, then that may not be the issue. You might want to look at various Chrome extensions that you have, and remove any suspicious ones or those that have an unknown reputation.

Another aspect to this is when you do downloads with Chrome or Edge. Websites that have a bad reputation or are serving known malware can be blocked or set off warnings. In various cases Chrome or Edge are wrong about what it's reporting. If you know for sure that's the situation (where the Chrome/Edge alert is wrong), then you should report that to them and/or make an exception for that website.

[amateur+]

The other element about this, is what your script is actually doing.

Topic starter said that even creating a new file with a simple sleep 10 will trigger Trojan:Win32/Wacatac.B!ml when attempting to compile.

[SOTE]

The other element about this, is what your script is actually doing.

Topic starter said that even creating a new file with a simple sleep 10 will trigger Trojan:Win32/Wacatac.B!ml when attempting to compile.

We don't know the full scope of what is in the OP's script (which he didn't publish for us to see) or know everything he is doing/has done. He could have copied and pasted something from the Internet, the script could be hundreds of lines long or have includes, he could have downloaded his AutoHotkey files from some unauthorized site, etc...

Typing inappropriate code, like Sleep 10 instead of Sleep 100, or simple one line scripts will not magically turn an AutoHotey compiled script into a Trojan.

If he is getting malware alerts from Defender, he can submit the files directly to Microsoft, where their professionals can analyze what is really going on.

[amateur+]

We don't know the full scope of what is in the OP's script (which he didn't publish for us to see)

1. Creation of NEW file. e.g. new.ahk
2. Edit it: now it contains THE ONLY line: sleep 10 (or sleep 100 if you want).
3. Trying to compile this 1-line code...
4. And our hero gets Trojan:Win32/Wacatac.B!ml alert from Microsoft Dedefender.

[SOTE]

We don't know the full scope of what is in the OP's script (which he didn't publish for us to see)

1. Creation of NEW file. e.g. new.ahk
2. Edit it: now it contains THE ONLY line: sleep 10 (or sleep 100 if you want).
3. Trying to compile this 1-line code...
4. And our hero gets Trojan:Win32/Wacatac.B!ml alert from Microsoft Dedefender.

Not sure what the issue you are having is about. Because there is nothing in what you typed that could solve the mystery or resolve the issue. If the OP sends his compiled file to Microsoft (and he can include his .ahk file too), their professionals are best equipped to evaluate if there is really a threat. Maybe you are a trained security professional working at an antivirus company, but I would guess 95% plus of people using AHK or here are not.

It also appears you might be injecting your beliefs of what is happening versus what the OP described. With that typed, I do agree that there is a bit of fuzziness about what the OP typed, so figuring out exactly what is going on will be difficult without more details. But, he did mention "compile" and "send exe".

Now i can compile my old script without false positive, but as soon as i edit it, i get Trojan:Win32/Wacatac.B!ml
whoever i send the exe gets it too

From the above quote, I'm assuming he is editing and then recompiling the file, versus attempting to edit the .exe directly. But who knows... My advice is to send the file to Microsoft, because they should at least provide more details, so not sure what part of that is creating difficulty for you.

[boiler]

@SOTE — In the first post, it was stated:

but creating a new file with a simple sleep 10 will trigget it when attempting to compile.

Why are you saying we don’t know the contents of the script, and why are you not accepting when the above is pointed out? It’s a simple statement that even a script containing only a Sleep statement will cause the issue, so it directly addresses these parts of your statement:

We don't know the full scope of what is in the OP's script (which he didn't publish for us to see)... He could have copied and pasted something from the Internet, the script could be hundreds of lines long or have includes…

It’s not meant to refute your recommendation of sending files to Microsoft. It’s just clarifying that one point that the file getting flagged is unrelated to the contents of the script itself.

[SOTE]

@boiler

I'm not concerned with the OP's statement about a "sleep 10" compiled script, because that by itself would not ordinarily cause a Trojan alert from Defender. If I'm overlooking something about that, please do enlighten me. You (Boiler) are quite an experienced AHKer, so trust that I will pay attention.

And, I'm a bit puzzled as to why people are getting wrapped up about such. When OPs don't post their script, we can't be sure what they actually did or are doing (as can be a whole chain of different projects and scripts) or even where they got their AutoHotkey files from (unless they tell us). We are seeing a somewhat convoluted description from what I presume to be a non-programmer. Of which, and I'm not making fun of anybody, reflects that we are not dealing with experts on malware (including myself).

Thus, arguably the better path to take is to submit all the suspicious files to Microsoft (who do employ experts) and let them weigh in on what they think. If Microsoft says they believe the AutoHotkey files used to compile the script is safe, then the OP can probably (or consult a 2nd opinion) ignore the Trojan alerts and make an exclusion/exception. Maybe it's not anything to do with AutoHotkey or they were not using genuine files from here or GitHub, and the issue is something else on their computer. So now they can eliminate AutoHotkey as the problem and focus on other files that might be causing the issue.

It’s not meant to refute your recommendation of sending files to Microsoft. It’s just clarifying that one point that the file getting flagged is unrelated to the contents of the script itself.

That's what I was trying to convey, but apparently was not understood. Rather than focus on the contents of the script, the OP should be worried about the interpreter/AutoHotkey files he's using (AutoHotkey.exe, ahk2exe, etc...). Send the files to Microsoft, and then hopefully the OP comes back and tells us the result. It would also be a good if the OP did a complete antivirus scan of their computer with Defender to see if it will find anything else.

In addition to Defender, the OP or others might want to try also using the Microsoft Safety Scanner. Some IT people put it on a bootable USB drive, boot from USB, and then run the Microsoft Safety Scanner from there. That, or boot into Safe Mode, then run it. This can help if the person is dealing with sneaky Trojans that are hiding themselves in various ways.

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

[amateur+]

If Microsoft says they believe the AutoHotkey files used to compile the script is safe, then the OP can probably (or consult a 2nd opinion) ignore the Trojan alerts and make an exclusion/exception.

I suppose it isn't a good idea. As I've undestood, new.ahk is safe, Autohotkey.exe is safe, Ahk2Exe.exe is safe, but compiled file new.exe triggers an alert.
So what do you offer to ignore? An alert for new.exe? Hm...

Lets do this... I'll create this new.ahk file (ANSI) with single "sleep 10" inside. Then I'll compile it (just right-click on the new.ahk and then choose "Compile Script", I have x64 Win10). And I'll be checking hash sums all the way. Lets check SHA256. We can look it on https://www.virustotal.com
bobelyk will do the same. We will compare our hash sums assuming I have't that virus (I use Microsoft Defender also).

• new.ahk (ANSI): 6e636d09792d59c0e1ebba501b7179981193cc6c572c96f3e5c0ca939b27d3e4
• new.exe: 47de18a22e2c1f0ec55889a4e105a7f18fce94f148b5d8f238cca208c2f5595d
• Ahk2Exe.exe: 55f74178bb436ba04b69f396ae8c74bf88bd6dd846932c8946effde23d1b6a10

For new.ahk hash sum is the same as for text "sleep 10", so it would be strange to get anything else except 6e636d09792d59c0e1ebba501b7179981193cc6c572c96f3e5c0ca939b27d3e4.
Also I'll attach bobelyk.rar archive with all my files:
new.ahk
new.exe
Ahk2Exe.exe

As for Virustotal.com alerts:
For new.exe:

For Ahk2Exe.exe:

[bobelyk]

edit

[bobelyk]

The alert now changed to ransomware found: Ransom:Win32/StopCrypt!ml

Update 2 , the wacatac trojan alert just triggering when i add my usual icon to the .exe before compiling
Update 3, After using a fresh downloaded .ico image the compiled file isn't showing the icon i chose, just the regular green background white H letter ahk file
Update 4, the behaviour doesn't occur when compiling a script containing the etxt ' MsgBox, hi so it must a line on my script that is triggering it, i will keep updating ( also before updating autohotkey to latest version (including the very compiler, i was able to compile the same script, (with my usual icon) i just wan't able to compiled as soon as i added a new line ( ;;;; didn't affect it, just any relevant line )

[SOTE]

@amateur+

We can't assume that the OP's AutoHotkey files are legitimate, not tampered with, or the same as the genuine files from GitHub and this website. From the OPs description, his alerts center around his usage of AutoHotkey. Have the AutoHotkey files (AutoHotkey.exe, Ahk2exe, etc...) tested by Microsoft, which will possibly eliminate them as being the issue.

Sending your personal AutoHotkey files to bobelyk, is not quite the same as him getting them from Github or this website. We know that the genuine files from GitHub and this website are not Trojans and are safe. What we don't know is what is causing the issues of bobelyk, which is why he arguably needs to consult professionals.

Having the files sent to Microsoft then becomes a reference point of what actions the OP should do next. Not just the AutoHotkey files, but any files that bobelyk suspects to be odd. As nobody here (including you and myself) are malware experts working for a large corporation, submitting files will take a significant amount of guesswork out of the equation. Otherwise, we will be sitting around making guess after guess. The OP will be sitting around describing weird thing after weird thing. I would think that the OP wants more definitive answers and suggestions.

[miracle]

it's 99% not ahk/the compiled file. It is windows defender. I had many struggle on work when i tried to give an compiled exe to collegues. first defender didn't flag the file, then flagged it. adding contents to the ahk script before compiling, changing content etc. worked sometime than again not. And i wouldn't say copying, deleting files, batch printing etc. are dangerous "actions".

So try to compile it with different options. But be assured if the ahk is downloaded from official source it is clean. On my home pc comodo flags pip in PyCharm as a trojaner Luckily it is easy to ignore the alert temporarily. At work with all the restriction it is not possible. Anyway on my work pc i used my big scripts uncompiled without any alerts from defender.