Quoted By:
Like others have said, it's pretty hard to be 100% sure. Being 100% sure means having to look inside of the program yourself with something like ghidra/ida, and unless you're ready to do that, well that's just not an option.
Checking the hash is an alright solution, but this only works for something that's been out there for a bit. Virustotal won't do shit with newer uploads, given it will give you a different hash. It can get rid of the skiddie shit though, which is often in the wild. You're shit out of luck if the hacker used something more sophisticated, like a custom packer/cryptor. This is where shit gets hard to tell.
The sandbox environment is also a good step. But the problem is that most malware makers out there actually try and check if you're inside a virtualized environment. If they realize they're inside a VM, they might do something different, and not boot up at all. It is possible to trick malware however, but unless you know what you're doing, this is not an option either.
The last option I'd recommend is looking at your open sockets. This is a good way to tell if something fucked up is happening. You might think looking at running processes would be a good idea. The thing is that they do some really fucky shit to hide what they're doing, and unless you specifically know what you're looking for, you'll waste hours doing this. Open sockets are a good way to check what's going on, given most malware want to communicate with a C2 of some sort. This does require the malware to be run, so again, we're back at step 1.
What I'd recommend for the average joe is to find a trustworthy community. Some people actually do what I just mentioned and will vet this shit for you. This is your best bet if you're not willing to do everything I just listed here. The absolute best of course is to not pirate shit, but I won't change your mind on this I believe. Good luck.
