contacted IP addresses / domains

[TheNewGuy]

Hi I'd like to start by thanking all the work put in to this free open-source software. Now I've created this thread out of curiosity since I searched all over and couldn't find an answer for this, why does the installer contacts so many IP addresses (and also a few domains)? After looking at the virustotal page it made me wonder.

(EqualizerAPO64-1.3.exe - https://www.virustotal.com/gui/file/2b21e6303beec2be165dd36917113d774356d9818c69f0b22550f5d938c4481a/relations )

[Peter Verbeek]

I also wonder. But as an user of Equalizer APO for about 9 years and as creator of the https://sourceforge.net/projects/peace-equalizer-apo-extension/ I know for sure there isn't something fishy going on. I guess for every app checked on VirusTotal many ip addresses are listed as contacted.

Equalizer APO is built with c++ and some libraries. Any one of them could contain ip addresses. Btw. "Contacted" ip addresses doesn't mean they are indeed contacted. VirusTotal can't detect this unless it really installs an app (and it doesn't for obvious reasons). So the ip addresses listed are "alleged" as being contacted.

I remember that the developer of Equalizer APO checks his installer on VirusTotal but I'm not sure. I check every update of Peace on VirusTotal. It's good practice to avoid shipping a virus. Besides, I run 3 antivirus apps, 1 firewall besides the Windows protection. I don't know what the developer setup is.

[Etienne Dechamps]

"Contacted" ip addresses doesn't mean they are indeed contacted. VirusTotal can't detect this unless it really installs an app (and it doesn't for obvious reasons). So the ip addresses listed are "alleged" as being contacted.

This is false.

VirusTotal does run the executable, it just does it in a thoroughly isolated "sandbox" (basically a VM) to prevent the executable from causing any actual damage. This can be seen on the behavior tab of the analysis which shows various sandbox types that were used and which communications were detected. This VirusTotal blog post has more details on this process.

Looking at the report, I get the impression that all addresses being contacted are Microsoft addresses. My best guess is some kind of telemetry or automatic download from some Microsoft code in the installer, perhaps for installing a runtime or something like that. Given how common Microsoft network traffic is, it could also be some kind of background traffic that is not directly caused by the executable being studied. In any case, this is almost certainly benign.

[Peter Verbeek]

Thanks Etienne. As usual your knowledge outseeds mine. I have the same idea the most are Microsoft related. But I haven't checked all ip addresses so I can't say if that was the case. It's logical to presume that's the installer.

[TheNewGuy]

Exactly Etienne, virustotal also does that which is great, for example the "Microsoft Sysinternals" sandbox reports traffic to 44 IP addresses and a few DNS resolutions when running the executable but your reasoning makes sense to me thanks for the input. Not that I was worried about something shady, just curious really.

[Peter Verbeek]

Okay, but I'm wrong about the "contacted" (see Ettiene's post). I couldn't imagine that VirusTotal takes the harddisk space and computer power to actually install the app and reports on their findings. VirusTotal is awesome!