MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Two low-trust engines flagged this archive with generic heuristics; tier-1 engines silent, sandbox clean, no malicious children.

Trust score82Moderate trust
MT AI confidence · 78%
Aimbot v4.1.2.zip
11.6 MB
1b7d0a41c0f0e6c68e23c5424c3b
Antivirus engines
2 of 75 flagged
Code signing
Unsigned
Age
First seen 6mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

78%Confidence
High
Reasoning

The file exhibits a classic low-trust-only false-positive pattern: 2 of 68 engines flagged it, both from low-trust tiers, with generic heuristic labels and no tier-1 consensus. Sandbox execution revealed no malicious verdict, no malicious dropped children, and no contact with known-malicious hosts. The presence of offensive MITRE techniques (T1485, T1486, T1562.001) in the behaviour profile is offset by the absence of actual malicious sandbox activity and the clean child-file verdicts. The filename 'Aimbot v4.1.2' is consistent with a gaming cheat tool, which explains both the adversarial naming and the high submission volume (1,298 submissions from 1,187 sources over 191 days). No external-intelligence sources (YARA, CIRCL, MalwareBazaar) corroborated the detections. The combination of low-trust-only flagging, clean sandbox, high prevalence, and absence of malicious children strongly indicates this is a benign or grey-area tool rather than malware.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 2/68 malicious, both low-trust tier (Bkav, SentinelOne); tier1Malicious=0; onlyLowTrustFlagging=true

  2. behaviour.hasMaliciousSandboxVerdict=false; droppedChildren.hasMaliciousChild=false (10/10 children unknown, none malicious)

  3. prevalence.classification='common_old' (1187 submitters, 1298 submissions over 191 days)

  4. externalIntel: yaraify.ruleCount=0, CIRCL.hit=false, MalwareBazaar.hit=false

  5. signing.verified=false, unsigned; no signer history; triggeredHeuristics=[] (no rules fired)

Points in its favour
  • All 16 tier-1 engines reported undetected
  • Sandbox analysis issued no malicious verdict
  • All 10 dropped children have unknown verdicts; none flagged malicious
  • No malicious hosts contacted
  • High prevalence (1,298 submissions) without corresponding malware reports
Points against
  • Filename 'Aimbot' suggests gaming cheat tool (grey-area software)
  • Offensive MITRE techniques present in sandbox (T1485, T1486, T1562.001)
  • Unsigned file with no signer history
  • Long-sleep and debug-environment-detection tags suggest anti-analysis behaviour
What to do

This file is likely a benign or grey-area gaming tool flagged by low-trust heuristic engines. If you obtained it from a trusted source and intend to use it for gaming, it is safe to proceed. If you are uncertain about its origin, verify the download source and consider running it in an isolated environment before full deployment.

Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
2 engines from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Verdict treated these as likely false positives.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
12

Adversary techniques mapped to the MITRE ATT&CK framework.

T1070T1070.006T1071T1082T1106T1129T1202T1485T1486T1497T1539T1562.001
Spawned processes
13
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\Aimbot v4.1.2.exe"
$(unnamed)
C:\Windows\system32\cmd.exe /c "ver"
$(unnamed)
C:\Windows\system32\cmd.exe /c "command /c ver"
$(unnamed)
C:\Windows\system32\cmd.exe /c "cmd /c ver"
$(unnamed)
"cmd /c ver"
$(unnamed)
Aimbot v4.1.2.exe
$(unnamed)
C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWow64\unarchiver.exe" "C:\Users\user\Desktop\Aimbot v4.1.2.zip"
+5 more processes captured.
Filesystem & mutexes
30
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\VCRUNTIME140.dll
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\VCRUNTIME140_1.dll
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\_asyncio.pyd
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\_bz2.pyd
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\_cffi_backend.cp313-win_amd64.pyd
+10 more
Files deleted15
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\base_library.zip
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\clr_loader\ffi\dlls\amd64\ClrLoader.dll
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\clr_loader\ffi\dlls\amd64
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\clr_loader\ffi\dlls\x86\ClrLoader.dll
  • C:\Users\<USER>\AppData\Local\Temp\_MEI55042\clr_loader\ffi\dlls\x86
+10 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 965f199679afa9b31d53f12771Never scanned
    never seen before
  • 6a99bc0128e0c7d6cbbfcbc6c8Never scanned
    never seen before
  • 3b75c4cf714e7e8092f432000eNever scanned
    never seen before
  • ab2d0f9637b9209bafb07c67a5Never scanned
    never seen before
  • eff52743773eb550fcc67b280aNever scanned
    never seen before
  • ccfffddcd3defb8d89905f27d7Never scanned
    never seen before
  • ceebae7b8927a3227e532f1508Never scanned
    never seen before
  • 37fedcffbf73c4eb9f05d28e0bNever scanned
    never seen before
  • 18c35ba9b4c29652269fdbfbc9Never scanned
    never seen before
  • 22c58840705c50a6809319ac40Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

2 detections across 75 engines

2 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
2flag
Heuristic / generic-AI engines (high FP rate)
Bkav
malicious
W32.Malware.E1CB9947
SentinelOne
malicious
Static AI - Suspicious Archive
Hash 1b7d0a41c0f0… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
1,187
Hundreds of people have uploaded this — common.
Total submissions
1,298
Includes repeat uploads by the same source.
First seen by VT
6mo ago
Dec 6, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
12/6/2025, 10:55:25 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/11/2026, 10:09:53 AM
Scanned here
6/15/2026, 9:09:29 PM
File name
Aimbot v4.1.2.zip
Size
11.56 MB
MIME type
(unknown)
Detected type
ZIP
SHA-256
1b7d0a41c0f0e6c68eed5d81e26d01eef9bd2b675dc8347d9c8db623c5424c3b
MD5
ee9789bf2d552cfe99bb3d9b4f477566
SHA-1
f3f1cbe489d8699e5dc28b8f83ae0cee5b6f8e40
First seen (VT)
12/6/2025, 10:55:25 PM
Last analysis (VT)
6/11/2026, 10:09:53 AM
First scan (MalwareTips)
6/15/2026, 9:09:29 PM
Last scan (MalwareTips)
6/15/2026, 9:09:29 PM
Behavior tags
calls-wmicontains-peziplong-sleepsdetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.