vale.exe identified as malicious by Crowdstrike Falcon dynamic analysis

[ffilho-sm]

Hi everyone, how's it going?

I'm looking for help with a funny case involving the Windows-compiled binary of Vale version 3.9.4. This file is part of the zip package "vale_3.9.4_Windows_64-bit.zip" (SHA1: 381B26C3CE38F676FDA25FFDA48995029058696C), which contains the binary in question, "vale.exe" (SHA1: aebddb4d103cad04c5ade3cbb0641ea1830f0da4).

The case: The company I work for has a security policy that requires the analysis of any application requested by employees before allowing installation and/or use on workstations. While the static analysis of vale.exe did not result in any detections by endpoint protection solutions, the dynamic analysis conducted by the Crowdstrike Falcon sandbox matched a YARA rule (win_kronos_g0) related to the Kronos malware family.

After some research, I found what seems to be the rule in question:

rule win_kronos_g0 {
   meta:
       author = "mak"
       malpedia_reference = "win.kronos"
       malpedia_version = "20170412"
       malpedia_license = "CC BY-NC-SA 4.0"
       malpedia_sharing = "TLP:GREEN"
   strings:
       $get_aes_keys = { 80 ?? ?? 5e 75 0E 80 ?? ?? 01 c9 75 07 80 ?? ?? 02 c3 74 03 46 eb e9}
       $kronos = "Kronos"
   condition:
       all of them
}

According to the sandbox analysis (available at this link), the detection occurred in a file called sample.bin. However, I couldn't confirm if it is part of the Vale binary package.

I would like the community's help to identify if this is indeed a real detection or a false positive.

Below are the reference links related to the analysis process:

• Falcon Hybrid Analysis - vale_3.9.4_Windows_64-bit.zip: https://www.hybrid-analysis.com/sample/722ec61fa60b282010021cb50d128d3e1aadd6bba1e3f7f8963e00fb8c919b6d

• Falcon Hybrid Analysis - README.md: https://www.hybrid-analysis.com/sample/fbdc869fb6ae1a95940b58e2b1b37ab27baeebecf13071314c42987a1c6008cf

• Falcon Hybrid Analysis - vale.exe: https://www.hybrid-analysis.com/sample/8ee37be0bef5fdf52420ebf35f5abfecd75033a14f991acc13dbeb57e704b570

• Falcon Hybrid Analysis - Detailed vale.exe sandbox analysis: https://www.hybrid-analysis.com/sample/8ee37be0bef5fdf52420ebf35f5abfecd75033a14f991acc13dbeb57e704b570/679cfe695302d7aaf70a67cc

• Malpedia reference for Kronos: https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos

Other relevant data about the binary were found when analyzed with filescan.io, available at the link: https://www.filescan.io/uploads/679d2a56414c56eb9503d015/reports/dd87938a-5862-429e-97bf-d10e4f14af46/overview

Thank you in advance for any help in understanding this behavior.
Thanks!

[jdkato]

It's a false positive. I submitted a report and here's the response I received:

Every version is also tested when released on Chocolatey (latest results, 0/67).