Suspicious
Unsigned installer with multiple offensive MITRE techniques and direct-IP C2 despite low engine coverage.
4ac8068c83e84b9c9c…dcb78432d2The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file is an unsigned Inno Setup installer for what appears to be ATLauncher (Minecraft mod launcher). While engine coverage is high, only a single low-trust engine raised a generic malicious flag. However, sandbox execution revealed eight offensive MITRE techniques including process injection into Explorer, LSASS credential access, persistence mechanisms and direct-IP C2 to 15 addresses without domain resolution. These behaviours are inconsistent with a clean installer even accounting for Java runtime extraction. Prevalence is high and one similar imphash was previously marked safe, yet the lack of signing and specific heuristic triggers keep the assessment in mixed-signals territory.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.onlyLowTrustFlagging=true and tier1Malicious=0 (APEX low_trust 'Malicious' only)
behaviour.offensiveTechniques includes T1055, T1485, T1486, T1543.003, T1547.001, T1548, T1562.001 (8 total)
triggeredHeuristics: MalwareTips.Synth.ProcessInjection, MalwareTips.Synth.CredentialDumper, MalwareTips.Synth.DirectIpC2 all fired
prevalence.classification=common_old with 4655 submissions; similarHashes[1].verdict=safe (imphash match)
signing.verified=null (unsigned) and filenameAnalysis.hasInstallerHint=true
- High prevalence (common_old, 4655 submissions)
- 69/70 engines undetected
- No tier-1 malicious detections
- No malicious dropped children
- One prior safe verdict on similar imphash
- Unsigned executable
- 8 offensive MITRE techniques observed
- Direct-IP C2 with no DNS usage
- LSASS access and process injection indicators
- Mixed community annotations including suspicious tags
Treat as suspicious pending further verification; obtain the official installer from the vendor site and compare hashes before running.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 172.66.174.26
- 140.82.112.3
- 185.199.109.133
- 192.168.0.44
- 20.99.133.109
- 23.55.140.42
- 192.168.0.56
- 20.69.140.28
- 217.20.54.35
- 23.196.145.221
- C:\Users\<USER>\AppData\Local\Temp\is-JL76O.tmp\executable.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-9OVP1.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-9OVP1.tmp\is-84J8L.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-9OVP1.tmp\ATLauncher.exe
- C:\Users\<USER>\AppData\Local\Temp\is-9OVP1.tmp\is-LOQCU.tmp
- C:\Users\<USER>\AppData\Roaming\ATLauncher\is-6V2HK.tmp
- C:\Users\<USER>\AppData\Roaming\ATLauncher\is-RDD54.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-9OVP1.tmp\jre.zip
- C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ATLauncher\ATLauncher.lnk
- C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ATLauncher\ATLauncher.pif
- cversions.3.m
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- ac3706ebbb78cfba74e5…0aba8fNever scannednever seen before
- fbc6a2793193035702a3…3104b4Never scannednever seen before
- dc130da62ff3a8b7ffb6…8f414dNever scannednever seen before
- 0221646b013037b9f474…ddafb2Never scannednever seen before
- 5a7ff949f6d93d86491e…420023Never scannednever seen before
- 388a796580234efc95f3…136f95Never scannednever seen before
- 4439a2331396cfbcbfbb…d300a8Never scannednever seen before
- ea308c76a2f927b160a1…4e716dNever scannednever seen before
- 90ac2104fa150b68518e…a8a8d4Never scannednever seen before
- 6c491d6f8c28c6f451f0…b1477bNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 15 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence172.66.174.26 · 140.82.112.3 · 185.199.109.133
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- ATLauncher-setup-1.3.0.0.exe
- Size
- 2.79 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 4ac8068c83e84b9c9c09dcad37120ed4041e72480c4e9a36543445dcb78432d2
- MD5
- 9d56b8206cbc9f298dfe5991161ef21d
- SHA-1
- c4f531d4499676685c162c014e6024a441bed82c
- PE imphash
- 40ab50289f7ef5fae60801f88d4541fc
- First seen (VT)
- 5/10/2025, 10:31:59 PM
- Last analysis (VT)
- 7/4/2026, 12:52:14 PM
- First scan (MalwareTips)
- 7/5/2026, 5:05:12 AM
- Last scan (MalwareTips)
- 7/5/2026, 5:05:12 AM
- Community reputation
- -3flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.