Suspicious
One tier-1 engine flagged a machine-learning heuristic; 69 others silent; clean behaviour but brand-new and unsigned.
3173b5e0935f3d9f62…f11a797412The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample presents conflicting signals. Symantec, a tier-1 antivirus engine, triggered a machine-learning heuristic detection ('ML.Attribute.HighConfidence'), but this label is generic and not tied to a named malware family — only 1 engine agreed, and no tier-1 consensus formed. The low-trust APEX engine also flagged it, but low-trust detections carry minimal weight. Conversely, 69 of 71 engines remained silent, and the file's runtime behaviour was clean: no offensive MITRE techniques, no malicious host contact, no dropped children. The PE structure shows normal entropy and no packing. The critical uncertainty is the file's novelty: submitted just now, from a single source, with no signer history and no similar-hash RAG grounding. This combination — one credible detection, clean behaviour, but extreme rarity — places the file in suspicious territory rather than safe or malicious.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Symantec (tier-1) flagged 'ML.Attribute.HighConfidence' — machine-learning heuristic, no named family
tier1Malicious=1, tier1FamilyConsensus.strong=false — single tier-1 detection, no consensus
69/71 engines silent; APEX (low-trust) also flagged 'Malicious' generically
unsigned, no signer history, rare_new prevalence (1 submission, 0 days old)
behaviour: 0 offensive MITRE, 1 ambient T1129, no malicious sandbox/hosts/children — clean runtime
- 69 of 71 engines reported no threat
- Clean runtime behaviour: 0 offensive MITRE techniques, no malicious hosts contacted
- Normal PE entropy (3.59), no packing or obfuscation
- No dropped children or malicious sandbox verdicts
- Symantec tier-1 machine-learning detection flagged
- Unsigned executable with no publisher history
- Brand-new file (0 days old) with minimal distribution
- No tier-1 consensus or named malware family
- Rare prevalence (1 submitter, 1 submission)
Treat this file as suspicious pending further evidence. If the source is trusted, isolate and monitor execution. If untrusted, avoid running it. Request the publisher to sign the file and provide context; resubmit in 1–2 weeks to see if additional detections or family naming emerge.
2 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- bashar.exe
- Size
- 138.7 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 3173b5e0935f3d9f6238d40b00ce1d17df22893dcd857350b53e21f11a797412
- MD5
- d5cd3a22f30d4ede571108f204465e67
- SHA-1
- 2a925fc32cd43c85caf8fdaa28f3be90f9c9a229
- PE imphash
- 7a066c47a327454475d9671bc20d4621
- First seen (VT)
- 6/11/2026, 10:22:50 AM
- Last analysis (VT)
- 6/11/2026, 10:22:50 AM
- First scan (MalwareTips)
- 6/11/2026, 10:27:53 AM
- Last scan (MalwareTips)
- 6/11/2026, 10:27:53 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.