Malicious
8 tier-1 engines converge on forkbomb trojan family; 17-year prevalence history; strong malicious consensus.
11ea65b2709bb714f0…5571b66015The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This 5-byte text file exhibits a strong tier-1 consensus on the forkbomb trojan family across 8 independent high-trust engines. The tier-1 malicious count (8/17) far exceeds the tier-1 clean count (8/17), and tier-2 engines add 12 additional malicious detections, while only 3 low-trust engines flag it — ruling out a low-trust-only false positive pattern. The file's prevalence classification as 'common_old' with 2,344 submissions since February 2009 establishes it as a historically known malware sample, not a rare new variant. Community annotations and Joe Sandbox verdicts consistently label it malicious. The absence of runtime behaviour data does not override the strong consensus from established vendors.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1FamilyConsensus: forkbomb family, 4 tier-1 engines (BitDefender, Emsisoft, ESET-NOD32, GData, Kaspersky, Sophos, TrendMicro, TrendMicro-HouseCall), strong=true
8/17 tier-1 engines flagged malicious; 12/37 tier-2 engines flagged malicious; only 3/20 low-trust engines flagged — onlyLowTrustFlagging=false, ruling out low-trust-only false positive
prevalence: common_old, 1544 submitters, 2344 submissions since 2009 — historically prevalent known malware, not a rare new sample
Community consensus: 5 researcher annotations all label as malware/trojan; Joe Sandbox verdicts 'MAL' (56/100); Malware Analyzer 360 score 94.9
File is unsigned, 5 bytes text; no signer history; no runtime behaviour data; no external YARA/CIRCL corroboration needed given tier-1 consensus
- No dropped children detected
- No contacted malicious hosts in our cache
- No external YARA rule matches (low false-positive risk from researcher rules)
- Tier-1 consensus: 8 high-trust engines agree on forkbomb family
- Historical prevalence: 2,344 submissions since 2009 across 1,544 unique sources
- Unsigned executable: no publisher identity or signer history
- Deceptive filename: 'totally legit site' masks malicious intent
- Trojan family: forkbomb causes resource exhaustion and denial of service
- Community consensus: multiple independent researchers and sandboxes label as malware
This file is a known forkbomb trojan with strong consensus from multiple tier-1 antivirus vendors. Do not execute it; remove immediately if present on your system and run a full antivirus scan.
forkbomb corroborated by 2 sources
- VT (74 engines)forkbomb
- MT AI Engineforkbomb
23 detections across 74 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- totally legit site
- Size
- 5 B
- MIME type
- (unknown)
- Detected type
- Text
- SHA-256
- 11ea65b2709bb714f059cf53767f7ee5ae6defe5b5d548e32375e65571b66015
- MD5
- 3808d82ed52876c3dda66fbf4cb142c8
- SHA-1
- 224dcbc79590e1d4abfda3d17b083b333fa00980
- First seen (VT)
- 2/16/2009, 10:23:58 PM
- Last analysis (VT)
- 6/19/2026, 8:00:00 AM
- First scan (MalwareTips)
- 6/25/2026, 7:56:09 AM
- Last scan (MalwareTips)
- 6/25/2026, 7:56:09 AM
- Community reputation
- -187flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.