Malicious
UltraSurf proxy tool flagged by 6 tier-1 engines; sandbox shows direct-IP C2 beacon and evasion techniques.
553a3e1522e74db3dc…5096302698The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This ZIP archive contains UltraSurf, a circumvention/proxy tool that has been consistently flagged across our antivirus network for 8 years. The tier-1 consensus (6 high-trust engines agreeing on the UltraSurf/UltraReach family) is a strong malicious signal. Sandbox execution shows the sample extracted and ran u.exe with proxy configuration arguments, contacted 20 external IP addresses directly without DNS resolution (a hallmark of C2 infrastructure evasion), and fetched encrypted payloads from AWS S3. The file exhibits multiple evasion techniques: UPX packing, debug-environment detection, and long-sleep anti-analysis loops. While UltraSurf is marketed as a legitimate circumvention tool, this sample's C2 beacon behaviour and direct-IP contact pattern indicate it is being used or has been modified for malicious command-and-control purposes.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=6/17 tier-1 engines; tier1FamilyConsensus.strong=true (BitDefender, Emsisoft, GData agree on 'application' family)
Consistent threat naming across vendors: BitDefender 'Application.UltraSurf.E', DrWeb 'Tool.UltraSurf.17', ESET-NOD32 'Win32/UltraReach.AG', Fortinet 'Riskware/UltraReach'
triggeredHeuristics: MalwareTips.Synth.DirectIpC2 fired — 20 external IPs contacted, zero domains; direct-IP C2 bypasses reputation systems
Sandbox behaviour: extracted u.exe with proxy arguments (-L=127.0.0.1:9666), contacted S3 URLs for version.enc updates, launched iexplore.exe to ultrasurf.us
File tags include 'upx', 'detect-debug-environment', 'via-tor', 'long-sleeps' — evasion and obfuscation indicators consistent with circumvention/proxy tools
- No malicious dropped children: 0/10 inspected child processes were malicious
- No malicious contacted hosts: 2 inspected hosts in our URL cache were not flagged as malicious
- Medium prevalence: 67 submissions over 8 years suggests known, established threat (not a novel exploit)
- Tier-1 consensus: 6 high-trust engines agree on UltraSurf/UltraReach family
- Direct-IP C2 contact: 20 external IPs contacted with zero DNS lookups (evasion pattern)
- Evasion techniques: UPX packing, debug-environment detection, long-sleep anti-analysis
- Encrypted payload updates: Fetches version.enc from AWS S3 (obfuscated C2 updates)
- Proxy configuration: Sandbox shows u.exe launched with proxy arguments (-L=127.0.0.1:9666)
- Negative reputation: File reputation score -14 across 50 submitters
Block and remove this file. UltraSurf is a known circumvention tool flagged by multiple tier-1 antivirus vendors; this sample exhibits direct-IP C2 beacon behaviour and evasion techniques consistent with malicious use. Do not execute or extract.
ultrasurf corroborated by 2 sources
- VT (73 engines)ultrasurf
- MT AI EngineUltraSurf
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 8.8.8.8
- 13.225.65.150
- 172.253.63.99
- 142.251.16.17
- 172.253.115.17
- 172.253.63.17
- 108.138.125.5
- 18.164.110.58
- 172.253.122.106
- 108.138.61.150
- https://s3.amazonaws.com/ultrasurfus/version.enc
- https://s3-ap-southeast-1.amazonaws.com/wujiesg/version.enc
- https://s3.amazonaws.com/ultrasurfus/NC1503/omeouyvhp?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
- https://s3.amazonaws.com/ultrasurfus/NC1503/xvsafssrt?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
- https://s3.amazonaws.com/ultrasurfus/NC1503/nvgnxfnkt?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
- C:\Users\<USER>\Downloads\76ea
- C:\Users\<USER>\Downloads\utmp\Mgzhvzywow7l6u1z
- C:\Users\<USER>\Downloads\utmp\Skyoajkjlj5y2h0p
- C:\Users\<USER>\Downloads\utmp\Onavrwctmq0e9s5p
- C:\Users\<USER>\Downloads\utmp\u.exe
- C:\Users\<USER>\Downloads\76ea
- C:\Users\<USER>\Downloads\utmp\Cmdiudeiid0n4z2y
- C:\Users\<USER>\Downloads\utmp\jsxhzrwjcwii
- C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\9f6
- \Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex
- \Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex
- \Sessions\1\BaseNamedObjects\SmartScreen_AppRepSettings_Mutex
- \Sessions\1\BaseNamedObjects\SmartScreen_ClientId_Mutex
- \Sessions\1\BaseNamedObjects\CommunicationManager_Mutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- dfd0fcb063e58ad337a6…395556Never scannednever seen before
- d059b72229ac39ccc471…e0acc3Never scannednever seen before
- e9d846338b7e19b411b8…e181c6Never scannednever seen before
- dd786323b5c5846c0636…db8baeNever scannednever seen before
- e48e8488ceb0bef4b167…5e5c3dNever scannednever seen before
- 59f19f0658e8795eabe4…061e3eNever scannednever seen before
- 3e29e6cfb1f1ab2edf8d…0d2a97Never scannednever seen before
- d328567e869559df5e3b…e72c91Never scannednever seen before
- 3f1f444abf08c79ed4fd…06df5fNever scannednever seen before
- fc0ee3e13916683b2e05…68747bNever scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence8.8.8.8 · 13.225.65.150 · 172.253.63.99
24 detections across 73 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- UltraSurf-18-02.zip
- Size
- 3.35 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- 553a3e1522e74db3dcfbf8792eb726aa28807bcbe7b3d9ebe45a865096302698
- MD5
- 8cd443ef55eb274623d1ab3f454c0168
- SHA-1
- 2f8b8f40e117f573c3774150cb10da3639d0b00d
- First seen (VT)
- 4/23/2018, 11:49:21 PM
- Last analysis (VT)
- 6/22/2026, 5:32:57 AM
- First scan (MalwareTips)
- 7/1/2026, 2:00:52 AM
- Last scan (MalwareTips)
- 7/1/2026, 2:00:52 AM
- Community reputation
- -14flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.