File verdict·Decided by the MT AI Engine
Our call

Malicious

10 tier-1 antivirus engines converge on Runner/Cobalt trojan family; unsigned installer masquerading as setup.msi with offensive process-creation behaviour.

Runner/Cobalt
Trust score8Critical
MT AI confidence · 92%
setup.msi
5.3 MB
1f3f67b696ba113c3b20c383c003
Antivirus engines
21 of 76 flagged
Code signing
Unsigned
Age
First seen 3mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The evidence converges strongly on malicious classification. Ten tier-1 antivirus engines (BitDefender, Kaspersky, ESET-NOD32, Emsisoft, Fortinet, GData, Ikarus, Symantec, Avast, AVG) independently agree on the same trojan family (39668822 / Runner / Cobalt), meeting the threshold for tier-1 consensus. The file is unsigned with no signer history, eliminating any benign-publisher pathway. Behaviour analysis confirms offensive MITRE technique T1543.003 (Create or Modify System Process) during sandbox execution, consistent with trojan dropper functionality. The filename 'setup.msi' and installer-hint tag indicate social-engineering masquerade. Prevalence is medium (13 submitters, 16 submissions), ruling out rare-new false-positive scenarios. No external YARA or CIRCL corroboration is needed given the tier-1 consensus strength.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.tier1Malicious=10 (BitDefender, Kaspersky, Emsisoft, ESET-NOD32, Fortinet, GData, Ikarus, Symantec, Avast, AVG) with tier1FamilyConsensus.strong=true on family '39668822'

  2. signing.verified=null, signer='', signerStats.found=false — unsigned, no publisher history

  3. behaviour.offensiveTechniques=[T1543.003] (Create/Modify System Process); sandbox executed msiexec.exe installer; dropped 2 children

  4. filenameAnalysis.hasInstallerHint=true, filename='setup.msi', tags=['msi','checks-usb-bus'] — masquerades as legitimate installer

  5. prevalence.classification='medium' (13 submitters, 16 submissions); no external YARA/CIRCL corroboration but tier-1 consensus sufficient

Points in its favour
  • No malicious contacted hosts or domains detected
  • Dropped children not flagged as malicious
  • No persistence indicators recorded in sandbox
Points against
  • Unsigned executable with no publisher reputation
  • 10 tier-1 antivirus engines agree on trojan family classification
  • Masquerades as legitimate Windows Installer (setup.msi)
  • Exhibits offensive process-creation behaviour (T1543.003)
  • Dropped 2 child executables during sandbox execution
  • Medium prevalence suggests active distribution
What to do

Treat this file as malware and do not execute. If encountered, isolate the system, remove the file, and run a full antivirus scan. Verify any software downloads from official vendor websites only.

Threat family attribution

runner corroborated by 2 sources

  • VT (76 engines)
    runner
  • MT AI Engine
    Runner/Cobalt
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
4

Adversary techniques mapped to the MITRE ATT&CK framework.

T1082T1091T1120T1543.003
Spawned processes
3
$(unnamed)
"C:\Windows\system32\msiexec.exe" /I "C:\Users\<USER>\Desktop\setup.msi" /qb ACCEPTEULA=1 LicenseAccepted=1
$(unnamed)
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
$(unnamed)
C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Filesystem & mutexes
21
Files written15
  • C:\Program Files\Google\Temp\GUM6C13.tmp
  • C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa12.dat
  • C:\Users\ADMINI~1\AppData\Local\Temp\~DF28F76A70368B5EEC.TMP
  • C:\Users\ADMINI~1\AppData\Local\Temp\~DFF020DF2FBEAE3576.TMP
  • C:\Users\ADMINI~1\AppData\Local\Temp\~DFF1543F1C9C3030CE.TMP
+10 more
Files deleted2
  • C:\Program Files\Google\Temp\GUM6C13.tmp
  • C:\MSI3150f.tmp
Mutexes created4
  • Global\_MSIExecute
  • \Sessions\1\BaseNamedObjects\Global\_MSIExecute
  • \BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
  • \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Dropped payload

Files this sample writes at runtime

This file drops 2 children at runtime. None are currently flagged malicious in our cache.

2 unseen
  • 597678b9639c5ea035f9675a8eNever scanned
    never seen before
  • 09af8004b85478e1eca047b449Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

21 detections across 76 engines

21 malicious0 suspicious55 clean
Tier-117 engines
10flag
Top commercial AVs (low FP rate)
Tier-238 engines
8flag
Mainstream engines with mixed FP rates
Low-trust21 engines
3flag
Heuristic / generic-AI engines (high FP rate)
alibabacloud
malicious
Trojan:Win/Runner.PU
ALYac
malicious
Trojan.Generic.39668822
Arcabit
malicious
Trojan.Generic.D25D4C56
Avast
malicious
Script:SNH-gen [Trj]
AVG
malicious
Script:SNH-gen [Trj]
BitDefender
malicious
Trojan.Generic.39668822
CTX
malicious
msi.trojan.runner
Cynet
malicious
Malicious (score: 99)
Emsisoft
malicious
Trojan.Generic.39668822 (B)
ESET-NOD32
malicious
BAT/Runner.PG trojan
Fortinet
malicious
BAT/Runner.PG!tr
GData
malicious
Trojan.Generic.39668822
Google
malicious
Detected
Ikarus
malicious
Trojan.BAT.Runner
Kaspersky
malicious
HEUR:Trojan.BAT.Cobalt.gen
Lionic
malicious
Trojan.Win32.Runner.4!c
Rising
malicious
Trojan.Cobalt/BAT!9.66787 (XSE:WFNFX0JBVDo3WJ4ajGDUodafbUjCU2tZ)
Symantec
malicious
Trojan.Gen.MBT
Tencent
malicious
Bat.Trojan.Cobalt.Anhl
Varist
malicious
ABTrojan.ENEI-
VIPRE
malicious
Trojan.Generic.39668822
Hash 1f3f67b696ba… cross-referenced against 76 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
13
Moderate upload volume.
Total submissions
16
Includes repeat uploads by the same source.
First seen by VT
3mo ago
Apr 3, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/3/2026, 1:02:28 AM
First seen (MalwareBazaar)
Last analysis (VT)
4/3/2026, 5:16:33 PM
Scanned here
7/2/2026, 1:12:48 PM
File name
setup.msi
Size
5.30 MB
MIME type
(unknown)
Detected type
Windows Installer
SHA-256
1f3f67b696ba113c3b51842381e060dab420df76f76b015f5cb64b20c383c003
MD5
31c4c4c1891463d6e7eb816cb67caf5e
SHA-1
cf9b1d16d823d0176e6d72527091e24e7c128cd6
First seen (VT)
4/3/2026, 1:02:28 AM
Last analysis (VT)
4/3/2026, 5:16:33 PM
First scan (MalwareTips)
7/2/2026, 1:12:48 PM
Last scan (MalwareTips)
7/2/2026, 1:12:48 PM
Behavior tags
msichecks-usb-bus
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.