Sirius LLM by VoodooSoft / CyberLock

This is very interesting. The future?

 

Here is download link.

Code:

https://www.cyberlock.global/downloads/SiriusLLM57.exe

 

I'm not impressed yet. Well, not yet. Let's see what the future has in store for us.

 

Here is the malwaretips thread of it

Hot Take - Sirius LLM by VoodooSoft / CyberLock | MalwareTips Forums

Mops21

 

Hi all

 

Paranoid scan with v0.62 in which I believe was a false positive:

 

I knew something was up when I saw this after rebooting my laptop earlier this afternoon.

 

I am running the portable version... The minimize/maximize button isn't working.

 

I believe that the process that remains active (I think) in the portable version needs to be improved.

 

That URL is on a AVG blacklist and also VirusTotal didn't like it.

 

VT 1 out of 97...

 

Yes, Malwarebytes Browser Guard also tries to block access to the SiriusGPT download page. Have reported this directly to Dan in case he wants to take it up with them directly.

The occupational hazard of absolutely brand new apps of this type.

 

Hot Take Sirius LLM by VoodooSoft / CyberLock

Hot Take - Sirius LLM by VoodooSoft / CyberLock | MalwareTips Forums

Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution

Introducing SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution | MalwareTips Forums

Old and the new Threads and here was posted the new one here

SiriusGPT: The First Real-Time GPT / LLM AI based Antimalware Solution | Wilders Security Forums

Mops21

 

I'm normally super skeptical where it involves the Ai craze lately, but testing this one is completely acceptable to me and it did a good job so far.

Just like usual my old windows programs get flagged but are harmless like RunMe and Belvedere, a couple of useful for me applications that are from Windows XP. The Unsigned is perfectly normal and expected, has been flagged for years.

I will make this a keeper

 

I have to be honest. When i first saw the name, the first thing that popped up in my mind was that Dan had added a Sirius Radio to his list of programs.

 

I wish I could try with CyberLock installed...

 

Note that this is really a file verdict application and is rather cool in my opinion. It comes in a portable version and can be added to the Context Menu. Rather handy for a quick analysis of an unknown program that one may want to run (and not just rely on a VT analysis).

As an example, if a person sent this one (Cruelsister's Rootkit Magic.exe) to Sirius LLM the resulting analysis would be:

Sending request to SiriusLLM Model 0...

Model 0 confidence (85% Malicious) is below the 90% confidence threshold.
Sending request to Model 1...

Selected result: Malicious with 95% confidence from Model 1.

Total tokens: 3848 (2992 request / 856 response)

File path: C:\Users\User\OneDrive\Desktop\Cruelsister's Rootkit Magic.exe

File publisher: This file is a signable file type but has not been digitally signed.
WhitelistCloud verdict: Not Safe

Final Verdict: Not Safe with 95% confidence.

## Analysis Summary
The file presents multiple red flags: its filename and version-info strings openly advertise “Rootkit Magic,” it is unsigned, lacks ASLR/DEP protections, and WhitelistCloud flags it as malicious. The entropy of the first section (7.99) is consistent with packed/encrypted code, while the requested-execution level is undefined, allowing potential elevation. Although the import table is tiny and contains only a few benign-looking APIs, this minimal surface is typical of shellcode loaders or droppers whose main payload is unpacked at runtime. Taken together, the indicators point to deliberate concealment and malicious intent rather than legitimate software.

## Detailed Analysis
- **Metadata & naming**: FileDescription “System Zapper” and ProductName “Rootkit Magic” are self-incriminating; no legitimate vendor ships software with such names.
- **Signature & protections**: Unsigned, no ASLR/DEP, no debug directory, and a zero checksum—an extremely uncommon combination for benign executables after 2011.
- **Section layout**: Three sections; first section entropy 7.99 (highly packed/encrypted), second 5.85 (moderate), third 4.46 (resources). Physical sizes much smaller than virtual sizes for the first two sections—classic packing.
- **Imports**: Only nine functions, all high-level (GetModuleHandleA, GetProcAddress, ShellExecuteExA, etc.). This sparse set is typical of a stub whose purpose is to decode and launch embedded shellcode or another PE.
- **Exports**: None—expected for a loader/dropper.
- **Strings**: Only standard version-info keys plus the API names already seen in the IAT; no hard-coded URLs, C2, or other plaintext indicators, again consistent with packed content.
- **WhitelistCloud**: Already marked malicious (though we do not rely solely on this).

### Portable Executable Imports
The import list is deliberately minimal. GetProcAddress and GetModuleHandleA are used for dynamic resolution of additional APIs at runtime—common in shellcode and packed malware. ShellExecuteExA can launch arbitrary commands or scripts, providing a simple code-execution primitive. BitBlt and InitCommonControls are present but are likely red-herrings or used by a decoy window to appear legitimate. No cryptographic or networking APIs are statically imported, reinforcing the likelihood that functionality is resolved dynamically after unpacking.

### Portable Executable Exports
No exports exist; this is expected for a dropper or loader whose sole job is to execute embedded payload code rather than provide services to other modules.

### Portable Executable Strings
Human-readable strings are limited to version-info fields and the API names already in the IAT. The absence of debug paths, URLs, or error messages suggests the author stripped or encrypted meaningful text. The only telling strings—“System Zapper” and “Rootkit Magic”—are self-declarations of malicious intent.

### Likely Type or Purpose
The binary is most probably a trojanized dropper or loader. Its high-entropy code section, tiny import table, and self-declared “rootkit” branding indicate it unpacks and executes a hidden payload—likely a kernel or user-mode rootkit or remote-access tool.

Malware type: Rootkit
Malware name: RootkitMagic.Dropper
Final verdict: Malicious with 95% confidence

 

Portable I just downloaded 0.72 doesn't show Analysis Type: which would be the interesting part, but all I see is a few flagged programs as not safe which are all unsigned, but are actually safe. Not much to go on. What am I missing?
Also, some text truncation which may be related to not being DPI conform. Maximize is broken too.

 

Snapshot scan WON'T just yet. Select you a single file with BROWSE, THEN the AI Model Analysis will unfold a host of information going through those LLM Models siftings.

For me it's like PE Studio (executable file unpacker/VirusTotal Scan) on hyper vitamins, which gives you a more comprehensive (sandbox analysis-like) comparison AND THEN verdict/decision.

 

I wanted to thoroughly uninstall my Razer 4 Synapse mouse software because it's giving me problems, so I wanted to use a program called Uninstalr, from the same developer as the jv16 PowerTools software. But SiriusGPT is giving me the below results for both the setup and the portable version of Uninstalr. I believe it's a false positive.

Program download: https://uninstalr.com/download/
Company info: https://greatsoftwarecompany.com/

VirusTotal results for Setup installer: https://www.virustotal.com/gui/file...b45fc7c98230c214959b26073897fdd929fa75510b88/
VirusTotal results for Portable version: https://www.virustotal.com/gui/file/78880d718e9f0976ee482a9577099124bcbb8fdc959663603ceba28eb1c8b97c

SiriusGPT results for Setup installer:

Total tokens: 0 (0 request / 0 response)

File path: c:\username\desktop\uninstalr_setup.exe
File hash: 83e067347e83e60335fcb45fc7c98230c214959b26073897fdd929fa75510b88
File size: 6.06 MB
File publisher: Great Software Company OÜ
Digital signature verified: True
Counter signer: EnVers Group SIA
WhitelistCloud verdict: Not Safe

Final Verdict: Not Safe with 85% confidence.

## Analysis Summary
The file presents itself as “Uninstalr_Setup.exe”, claims to be an installer for an uninstaller utility, and is digitally signed by “Great Software Company OÜ”.
Despite the benign appearance, several red flags emerge:

- Overlay is 6.2 MB (97 % of the file) with maximal entropy (8.0), indicating packed/encrypted content.
- Imports contain registry manipulation, token-privilege escalation, and file-deletion primitives—useful for both installers and malware.
- RequestedExecutionLevel is “requireAdministrator”, giving it elevated rights.
- WhitelistCloud flags it as malicious (though we treat this as secondary).

No network imports, no exports, and no obviously hostile strings are present, but the entropy and overlay size are far beyond what legitimate installers usually carry. The combination of high entropy overlay, privilege escalation imports, and an unverifiable publisher name pushes the balance toward malicious.

## Detailed Analysis

### PE Structure & Entropy
- Five sections; section-1 entropy 6.4, overlay entropy 8.0 (maximal).
- OverlaySize 6200976 bytes (97 % of file) – classic marker for encrypted stub, second-stage payload, or resource-based dropper.

### Imports
- ADVAPI32: Reg*, AdjustTokenPrivileges, LookupPrivilegeValueW – registry tampering & token elevation.
- SHELL32: SHFileOperationW, ShellExecuteExW – file/shortcut manipulation and arbitrary process launch.
- COMCTL32/GDI/USER32: heavy GUI imports consistent with installer front-end.
- No Winsock/WinInet/URL imports – no obvious network activity in the PE import table.

### Exports
- None – normal for installers.

### Strings
- Top readable strings are DLL names and API names already reflected in the import table; no URLs, IPs, or suspicious hard-coded file paths.

### Digital Signature
- Signed July 2023, chain verifies, but publisher “Great Software Company OÜ” is not a recognised software vendor; counter-signer also obscure. Signature validity alone does not outweigh behavioural indicators.

### WhitelistCloud
- Reports “Malicious”; treated as supporting evidence only.

### Likely Purpose
The extreme overlay entropy and size, plus privilege-escalation imports, are consistent with a stub-dropper: the small PE loader unpacks/decrypts the 6 MB overlay and executes embedded content with administrator rights. While the surface branding is an “uninstaller”, the concealed payload cannot be inspected and the overall structure mirrors common malicious droppers.

Malware type: Dropper
Malware name: Dropper.UninstalrOverlay
Final verdict: Malicious with 85% confidence.

SiriusGPT results for Portable version:

Total tokens: 0 (0 request / 0 response)

File path: c:\username\desktop\uninstalr_portable.exe
File hash: 78880d718e9f0976ee482a9577099124bcbb8fdc959663603ceba28eb1c8b97c
File size: 6.26 MB
File publisher: Great Software Company OÜ
Digital signature verified: True
Counter signer: EnVers Group SIA
WhitelistCloud verdict: Not Safe

Final Verdict: Not Safe with 70% confidence.

<think>
Okay, let's start analyzing this file. The user provided a lot of data, so I need to go through each section carefully.

First, the file is Uninstalr_Portable.exe, which is a portable executable. The file path suggests it's part of a utility called Uninstalr, which might be an uninstaller tool. The SHA-256 hash is given, but I don't have a database to check against, so I'll rely on the other attributes.

Looking at the Portable Executable Features, the DangerousImportedLibrariesNormalized is 4.36/100. That's a low score, which is a good sign. OverlayEntropy is 7.67, which is high, but entropy can vary. The IATVirtualAddress is 0, which might be normal if it's a .NET app, but CLRRuntimeHeaderSize is 0, so it's not a .NET app. ImportsCount is 22, which is a moderate number. Section entropies: SectionEntropy2 is 7.93, which is high, but others are 0. High entropy in a section could indicate packed or encrypted data, which is sometimes a red flag. OverlaySize is 10432, which is a bit large. CertificateTableSize is the same as OverlaySize, which might be a clue. The file has ASLR and DEP enabled, which are security features, so that's a positive.

The requested execution level is requireAdministrator, which is concerning because many malware need admin rights. The DebugDirectorySize is 0, so no debug info. The OptionalHeaderDllCharacteristics is 0x8140, which includes DYNAMIC_BASE and NX_COMPAT, again security features. The ResourceTableSize is 127520, which is normal for an application with resources. The version info shows the product name as Uninstalr, which aligns with the file name. The company is Great Software Company, and the copyright is from 2023-2025. The digital signature is present and verified by WinVerifyTrust, which is a strong positive. The signer is Great Software Company OÜ, and the counter signer is EnVers Group SIA. The thumbprint is provided, but without checking a certificate revocation, I can't be sure, but the presence of a valid signature is a good sign.

Now, looking at the Portable Executable Imports. The imports include functions like LoadLibraryA, GetProcAddress, VirtualProtect, URLDownloadToFileW, SHDeleteKeyW, etc. VirtualProtect is often used to change memory permissions, which can be used for unpacking or executing shellcode. URLDownloadToFileW suggests it might download files, which can be malicious if not legitimate. SHDeleteKeyW is for deleting registry keys, which could be used for persistence removal or malicious purposes. The presence of WNetGetConnectionW and WTSRegisterSessionNotification might relate to network or session management. However, these functions are also used in legitimate software for various tasks. The imports don't immediately scream malware, but some functions are suspicious.

The Exports section has no exports, which is common for some utilities but not necessarily a red flag. The Strings section has a lot of random-looking strings, some of which might be variable names or encoded data. There's no obvious malicious URLs, IPs, or commands. The presence of "Debug:4" and "SEC0_DEBUG" might indicate some debugging or logging, but not necessarily malicious. The string "TASKDIALOG_BUTTON" suggests a GUI component, which is typical for an application.

The WhitelistCloud result says Malicious, but the digital signature is valid and from a company named in the version info. The file is part of Uninstalr, which is a known uninstaller tool. However, the WhitelistCloud might be flagging it due to some heuristic or because it's a portable version. The presence of URLDownloadToFileW could be for downloading updates or additional components, which is possible in legitimate software. The requireAdministrator flag is concerning, but if the tool needs admin rights to uninstall programs, that's plausible.

Putting it all together: the digital signature is valid, the company info matches, the file is part of a known product, and the imports, while including some suspicious functions, are not conclusive. The high entropy section might be a packed resource or legitimate data. The WhitelistCloud flag is a concern, but the other factors lean towards it being safe. However, the requireAdministrator and some imports like VirtualProtect and URLDownloadToFileW could be used maliciously. The confidence is moderate because while there are red flags, there are also strong indicators of legitimacy.
</think>

Analysis Summary:
The file Uninstalr_Portable.exe exhibits a mix of benign and suspicious characteristics. While it is digitally signed by a legitimate company and appears to be part of a known uninstaller tool, several attributes raise concerns. The presence of imports like `VirtualProtect`, `URLDownloadToFileW`, and `SHDeleteKeyW` suggests potential for system modification or network activity, which could be exploited maliciously. The file requests administrator privileges, a common tactic in malware for persistence. However, the valid digital signature, alignment with the product name, and lack of overtly malicious strings or exports support a benign classification. The WhitelistCloud flagging it as malicious introduces uncertainty but is likely a false positive given the contextual evidence.

Detailed Analysis:
**Portable Executable Imports**
The imports include functions commonly associated with both legitimate and malicious behavior. `VirtualProtect` is often used to unprotect memory regions, enabling code execution or unpacking. `URLDownloadToFileW` could be used to download payloads, though it might also be legitimate for updates. `SHDeleteKeyW` and `WNetGetConnectionW` relate to registry and network operations, which are dual-use. The absence of typical malware imports (e.g., `CreateProcess`, `WriteFile`) and the presence of GUI-related functions (e.g., `ImageList_Add`, `PrintDlgW`) suggest a utility application. The valid digital signature further supports legitimacy.

**Portable Executable Exports**
No exports are present, which is typical for a standalone application rather than a DLL or loader. This aligns with the file's role as a portable executable tool.

**Portable Executable Strings**
The strings contain no clear malicious URLs, IPs, or commands. References like `TASKDIALOG_BUTTON` and `Debug:4` indicate GUI and debugging elements, consistent with a software tool. The lack of obfuscated or suspicious strings reduces the likelihood of embedded payloads.

**Software Type Speculation**
The file is likely a portable uninstaller utility (Uninstalr), given the product name, version info, and presence of functions related to system cleanup (e.g., `SHDeleteKeyW`). The requireAdministrator flag and network capabilities might be for deep system integration or remote configuration, though these could also be exploited if misused.

Malware type: Potentially Unwanted
Malware name: PUP.UninstalrDownloader
Final verdict: Malicious with 70% confidence.