4

Using Personal Edition v20.2 of MobaXterm at Windows 10...

No problem to remove a strange file like C:\Users\USERNAME\Documents\MobaXterm\slash\bin\xwin_mobax.exe ?

PS: this page say that xwin_mobax.exe is a virus, and windows asking about pemission (I cancel).

Peter Krauss
  • 13,174
  • 24
  • 167
  • 304

2 Answers2

4

The page link that you mentioned in your post describes about checking running processes associated with MobaXterm program and if you find those suspicious then it can be dangerous but they are not categorizing as threat since it is tool for SSH and as you know for that it reads keystrokes and mouse inputs.

So simple answer is NOT currently but if you monitor some unusual behavior by its process then it can be.

darth vader
  • 501
  • 8
  • 11
  • Thanks MountainLion for your interpretation of link contents (!). About the "remove a strange file" question, `xwin_mobax.exe` can be deleted? – Peter Krauss Sep 22 '20 at 00:28
  • Yes if you don't intend to use that software anymore and free up some space on machine then definitely you can. – darth vader Sep 22 '20 at 01:06
  • Hi, the question is not about "delete MobaXterm" but about **delete `xwin_mobax.exe` (without corrupting MobaXterm)**, can you check that it is possible? – Peter Krauss Sep 22 '20 at 04:23
  • Seems that all evidence is 1 of 40 (2.5%) detect-endines that say that is a kind of trojan... And the only reference is [metadefender YnpJd01EUXdNWEo1YUhSSmFEQXRSRlVyMWlGMkNidzg](https://metadefender.opswat.com/results/file/YnpJd01EUXdNWEo1YUhSSmFEQXRSRlVyMWlGMkNidzg/regular/overview?lang=en) cited by [joesandbox](https://www.joesandbox.com/analysis/228433/0/html)... – Peter Krauss Sep 22 '20 at 20:57
  • Another report, [hybrid-analysis](https://www.hybrid-analysis.com/sample/92b704b967c79d37a1e9df072239098b2fd9126c18de3714e6341be36e14bc99/5e2aea0764292e57a5232544) say that 1 of 22 (4%) detect-engines suspected. The main evidence seems a "... known anti-VM trick", that is not an attack but a suspect to be confirmed as attack or not (in this case Moba function is to do SSH conection). – Peter Krauss Sep 22 '20 at 21:06
  • Strange the question use `\Documents` (`\Documents\MobaXterm\slash\bin`) not `AppData` as `C:\Users\user\AppData\Local\Temp\Mxt202\bin\XWin_MobaX.exe` (see [here](https://www.joesandbox.com/analysis/228433/0/html)). Perhaps all `\Documents` Moba installation can be deleted – Peter Krauss Sep 22 '20 at 21:12
  • Was there any event which made you suspicious about this software and you started digging ? – darth vader Sep 22 '20 at 22:44
  • Windows asked if I wanted to give permission for the executable to do something ... I didn't give permission, and stopped asking. I didn't uninstall Moba because I need it at my job. – Peter Krauss Sep 24 '20 at 01:12
1

Did you check this?

1 Antivirus labeled it as Trojan.Heur

The most significant indicator is an Anti-VM trick

(You can also check here and here)

Conclusions:

aga
  • 21
  • 4