topic Re: AutoHotkeyU.exe disposition is now malicious in Endpoint Security

AutoHotkeyU.exe disposition is now malicious

mski7861 — Thu, 29 Feb 2024 21:16:14 GMT

Anyone else using AutoHotkeyU.exe in their environment and experiencing multiple retrospective quarantine events because the file disposition is now malicious?

I understand what it does, but I'm curious why the disposition recently changed

Re: AutoHotkeyU.exe disposition is now malicious

Matthew Franks — Fri, 01 Mar 2024 13:08:54 GMT

Could you post the SHA256 hash of the file please? Then we can look into why it was marked malicious.

Thanks,

-Matt

Re: AutoHotkeyU.exe disposition is now malicious

Pulkit Mittal — Fri, 01 Mar 2024 13:17:35 GMT

If you trust the sha and its affecting your business critical applications then I suggest whitelisting the SHA until Cisco comes back with an explanation.

Re: AutoHotkeyU.exe disposition is now malicious

mski7861 — Fri, 01 Mar 2024 14:41:30 GMT

@Matthew Franks here are the details:

There appears to be at least 3 versions of AutoHotkey.exe in our environment that are triggering threat detection and retrospective quarantine failure events:

C:\Program Files\AutoHotkey\AutoHotkeyU32.exe / disposition = malicious
SHA256: 9ab9738634810cf54edca5a9937f2eb1ff64f8a221558ca57ef23832b413f5a2
993fcb15d8eb9197f71826d7b60ba86ad407c2c3d31801be2a7e4bac8e1abac3

AutoHotkey.exe / disposition = malicious
945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

Re: AutoHotkeyU.exe disposition is now malicious

mski7861 — Fri, 01 Mar 2024 14:47:40 GMT

A little more background:

There are a number of users in our organization that have been using AutoHotKey for quite some time, primarily to automate repetitive tasks. Working with a few end users yesterday, I noticed most were running the older version 1.1.37.01. We uninstalled and installed 2.0.11. There were also a couple users that generated events and were already running version 2.0.11.

So this morning I downloaded and installed both versions in my sandbox and the hash files are different as seen below:

- I downloaded AutoHotKey_1.1.37.01_setup.exe (SHA256: dbf3490648efe876bd9a98d53e4d9110bf5e02a3914c0dd4b2a48db4a09799b5)

- Installed and verified the following files:

- AutoHotkey.exe SHA256: 7d47220e8a09c113b82ba9f366ce2cbe5924b0cc661dc9df93c13e8dbfa1f254 - Talos currently evaluating disposition

- AutoHotkeyU32.exe SHA256: 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb - Talos currently evaluating disposition

- I also downloaded AutoHotkey_2.0.11_setup.exe (SHA256: 2a3e882103232c1355e2a6a8f1d9bc7cc23134cd)

- Installed and verified the following files:

- AutoHotkey.exe SHA256: f325aa17f9d8b3580b6a89ef8ee18dcf95961a3d28e0d79b7478f9800eba237c - Talos currently evaluating disposition

- AutoHotkey32.exe SHA256: bfde2b58f0a083d9d10e31cd95164d2812575b897e2eb04c6528f30fb2eabdf0 - Talos currently evaluating disposition

Re: AutoHotkeyU.exe disposition is now malicious

Ken Stieers — Fri, 01 Mar 2024 14:59:18 GMT

If you know it's a ln FP, I would add it to the whitelist temporarily and then submit file reputation disputes on talosintelligence.com.

Once Talos clears it, I pull it from the whitelist.

Re: AutoHotkeyU.exe disposition is now malicious

Matthew Franks — Fri, 01 Mar 2024 15:01:54 GMT

Good advice from Ken as always. I submitted the first 3 hashes as FPs because I don't see anything in the report that jumps out to me as overtly malicious. Could you please submit that latest batch if you haven't already and they're showing as malicious?

Thanks,

-Matt