Suspicious
Unsigned repacked installer with process injection and direct-IP C2 contact; low engine consensus but concrete sandbox malware behaviour.
2b7c5b24298efc43b5…1774860b41The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample presents conflicting signals. On one hand, only 2 engines flagged it malicious (Kingsoft tier2, Webroot low-trust), no tier-1 engines agreed, and the file is common and old (140 submitters since 2011). The 'security_tool_classifier' heuristic suggests it might be security software. On the other hand, sandbox execution revealed process injection (T1055) and process argument spoofing (T1134) — two offensive MITRE techniques — combined with direct-IP C2 contact to 10 external IPs and zero DNS domains. This direct-IP C2 pattern is a strong malware indicator because it bypasses reputation systems and domain-based blocklists. Benign installers and security tools do not exhibit this behaviour. The unsigned status and repack tag add to the risk profile. The lack of tier-1 consensus and external-intel hits prevent a confident 'malicious' verdict, but the concrete sandbox behaviour (process injection + no-DNS C2) is too specific to dismiss as a false positive.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 2/69 malicious (Kingsoft tier2, Webroot low-trust); tier1Malicious=0; no tier-1 consensus
behaviour.offensiveTechniques: T1055 (Process Injection), T1134 (Process Argument Spoofing) — 2 offensive MITRE techniques observed in sandbox
behaviour.contactedIps: 10 external IPs contacted, zero domains — direct-IP C2 pattern bypasses DNS reputation systems
triggeredHeuristics: 'MalwareTips.Synth.ProcessInjection' (high) + 'MalwareTips.Synth.DirectIpC2' (medium) both fired; concrete sandbox evidence
signing.verified=false, unsigned; prevalence=common_old (140 submitters, 166 submissions since 2011)
- No tier-1 engine consensus on malware family — suggests possible legacy or false-positive shape
- No malicious dropped children — 10 inspected children all unknown/clean
- No external-intel hits (CIRCL, YARAify, MalwareBazaar) — no researcher-curated corroboration
- Common and old sample (140 submitters, 166 submissions since 2011) — long history in the wild
- Process injection (T1055) observed in sandbox — code smuggled into legitimate process to evade AV hooks
- Direct-IP C2 communication to 10 external addresses with zero DNS lookups — bypasses reputation systems and domain blocklists
- Unsigned binary with repack tag — no publisher provenance or code-signing verification
- Process argument spoofing (T1134) — obfuscates command-line intent
- Installer hint in filename — typical delivery vector for trojans
Treat this file as suspicious and do not execute it. The sandbox-observed process injection and direct-IP C2 communication are concrete malware indicators that override the low engine consensus. If this file is part of a legitimate software distribution, request a signed, current version from the official publisher.
repack corroborated by 2 sources
- VT (75 engines)repack
- MT AI Enginerepack
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 20.99.184.37
- 192.229.211.108
- 20.99.186.246
- 23.216.147.76
- 192.168.0.28
- 20.99.133.109
- 23.216.81.152
- 192.168.0.19
- 192.168.0.43
- 184.27.218.92
- C:\Users\<USER>\AppData\Local\Temp\is-DA6K4.tmp\software.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_RegDLL.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_shfoldr.dll
- C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\innocallback.dll
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER16D0.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER16BF.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER179A.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER179B.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER17EA.tmp.txt
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 1c1bb4546e59e2953bbd…94bd63Never scannednever seen before
- 6876d5c5bbbbc804e218…5dff5aNever scannednever seen before
- 2f64a8d3d7191bd39dd5…2ba1bfNever scannednever seen before
- 4512aac6cba173f582a7…68041cNever scannednever seen before
- a4b61626a1626fdabec7…64f008Never scannednever seen before
- 9884e9d1b4f8a873ccbd…360d87Never scannednever seen before
- f6c62481bb6c87aa45a2…4c73afNever scannednever seen before
- 11eb9c19868419f0f7f5…5e31eeNever scannednever seen before
- 4dc09bac0613590f1fac…7e74a2Never scannednever seen before
- 9cc277f3cc8a2ea83abb…869313Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\software.exe"Sample contacted 10 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence20.99.184.37 · 192.229.211.108 · 20.99.186.246
2 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- setup.exe
- Size
- 2.21 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41
- MD5
- fb914ef04253449bb9988ff15529d467
- SHA-1
- af96cab426b034fefd97c02dac03936ca16cd6c0
- PE imphash
- 884310b1928934402ea6fec1dbd3cf5e
- First seen (VT)
- 11/18/2011, 5:57:21 PM
- Last analysis (VT)
- 6/28/2026, 12:36:33 AM
- First scan (MalwareTips)
- 7/10/2026, 2:57:53 PM
- Last scan (MalwareTips)
- 7/10/2026, 2:57:53 PM
Safety FAQ
Common questions about setup.exe, answered from the scan data above.
- setup.exe is suspicious — treat it as unsafe until you're sure. 2 of 75 antivirus engines flag it (family: repack), which isn't a strong consensus but is enough to be cautious. Don't run it unless you fully trust where it came from, and prefer downloading the software fresh from its official site.
- setup.exe is a Windows executable program, about 2.2 MB. We identify a file by its cryptographic hash rather than its name, because the same filename can be reused by completely different files — the hash below is the reliable fingerprint.
- 2 of 75 antivirus engines flagged setup.exe, 2 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
- To remove setup.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original setup.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
- setup.exe is classified as a trojan — malware disguised as something harmless to trick you into running it. Engines attribute it to the repack family. Knowing the family matters because it tells you the likely impact — data theft, remote control, file encryption, or unwanted ads — and guides the cleanup.
- The SHA-256 hash of setup.exe is 2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41, and its MD5 is fb914ef04253449bb9988ff15529d467. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- This report reflects the scan run on July 10, 2026. Because a file's hash never changes, the identity of setup.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.