Malicious
Four tier-1 antivirus engines converge on Python:Discord-H infostealer family; unsigned executable with reconnaissance MITRE techniques.
34ad3e71fbfeb6fb52…1ad5e5d03cThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This unsigned 3.1 MB executable is flagged by 17 of 72 antivirus engines, including 4 tier-1 vendors (Avast, AVG, Kaspersky, Fortinet) that independently name the 'Python:Discord-H' or 'Disco' family. While the tier-1 consensus does not reach the ≥3-engine strong threshold, the convergence on a specific named family (not generic heuristic labels) across independent high-trust vendors is a reliable malicious indicator. The file exhibits MITRE techniques T1027 (obfuscation), T1057 (process discovery), T1059 (command execution), T1082 (system info), T1083 (file enumeration), and T1129 (DLL execution) — a pattern consistent with infostealer reconnaissance. The unsigned status and rare-old prevalence (single submission 319 days ago) are consistent with a malware sample that was not widely redistributed. No sandbox malicious verdicts or contacted malicious hosts are recorded, but absence of runtime data does not contradict the static consensus.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=4 engines (Avast, AVG, Fortinet, Kaspersky) converging on 'Python:Discord-H' and 'Disco' family naming
engines.topDetections show consistent family labels across tier-1 (Python:Discord-H [Trj], HEUR:Trojan-PSW.Python.Disco.gen) and tier-2 (exe.trojan.disco, Trojan.Win32.Disco.i!c)
behaviour.mitreTechniques=[T1027, T1057, T1059, T1082, T1083, T1129] — obfuscation, process discovery, command execution, system enumeration consistent with infostealer reconnaissance
signing.verified=false, unsigned executable; no signer history to contradict malware detection
prevalence.classification=rare_old (1 submission, 319 days) — consistent with single-submission malware sample, not widespread commodity
- No malicious sandbox verdicts recorded (though sandbox data unavailable)
- No contacted malicious hosts in our URL cache
- No dropped malicious children detected
- Tier-1 antivirus consensus on named infostealer family (Disco/Python:Discord-H)
- Unsigned executable with no publisher history
- Static MITRE techniques consistent with credential harvesting and reconnaissance
- High PE entropy and overlay structure suggest bundled payload
- Rare prevalence (single submission) consistent with targeted or limited-distribution malware
Isolate and remove this file immediately. If executed, perform a full system scan and reset Discord credentials with two-factor authentication enabled. Do not trust this executable; the convergence of tier-1 antivirus family naming on a known infostealer is a reliable malicious indicator.
disco corroborated by 2 sources
- VT (76 engines)disco
- MT AI Enginedisco
17 detections across 76 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Rarely uploaded, but has been around for a while. Often niche legitimate software or old internal tooling; not a strong malware signal on its own.
Forensic fingerprint
- File name
- lcnl4o.exe
- Size
- 3.03 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 34ad3e71fbfeb6fb523b63f8a9d5b923bdec4ce42b2d74686749a51ad5e5d03c
- MD5
- 1b8dc3510f357b54a4826a485b100baf
- SHA-1
- 0749fa079a48dcbfa2abc214bb9887ba4d160bed
- PE imphash
- 33742414196e45b8b306a928e178f844
- First seen (VT)
- 8/26/2025, 1:47:16 AM
- Last analysis (VT)
- 9/26/2025, 12:06:44 PM
- First scan (MalwareTips)
- 7/10/2026, 11:40:29 PM
- Last scan (MalwareTips)
- 7/10/2026, 11:40:29 PM
Safety FAQ
Common questions about lcnl4o.exe, answered from the scan data above.
- Yes — lcnl4o.exe is malicious, so do not run it, and delete it. 17 of 76 antivirus engines flag it (family: disco). It behaves as an information stealer/spyware, built to harvest passwords, cookies, and wallet data. If you've already run it, see the removal and recovery steps below.
- lcnl4o.exe is a Windows executable program, about 3 MB. Our analysis identifies it as malicious (family: disco) — an information stealer/spyware, built to harvest passwords, cookies, and wallet data. Because a file's name and icon can be faked, the safest way to identify it is by its cryptographic hash (below), not its filename.
- 17 of 76 antivirus engines flagged lcnl4o.exe, 17 of them as outright malicious. A detection rate at this level is a reliable signal that the file is dangerous.
- Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
- To remove lcnl4o.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original lcnl4o.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
- lcnl4o.exe is classified as an information stealer/spyware, built to harvest passwords, cookies, and wallet data. Engines attribute it to the disco family. Knowing the family matters because it tells you the likely impact — data theft, remote control, file encryption, or unwanted ads — and guides the cleanup.
- The SHA-256 hash of lcnl4o.exe is 34ad3e71fbfeb6fb523b63f8a9d5b923bdec4ce42b2d74686749a51ad5e5d03c, and its MD5 is 1b8dc3510f357b54a4826a485b100baf. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- This report reflects the scan run on July 10, 2026. Because a file's hash never changes, the identity of lcnl4o.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.