File verdict·Decided by the MT AI Engine
Our call

Malicious

UltraSurf proxy tool flagged by 6 tier-1 engines; sandbox shows direct-IP C2 beacon and evasion techniques.

UltraSurf
Trust score18High risk
MT AI confidence · 92%
UltraSurf-18-02.zip
3.4 MB
553a3e1522e74db3dc5096302698
Antivirus engines
24 of 73 flagged
Code signing
Unsigned
Age
First seen 8y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

This ZIP archive contains UltraSurf, a circumvention/proxy tool that has been consistently flagged across our antivirus network for 8 years. The tier-1 consensus (6 high-trust engines agreeing on the UltraSurf/UltraReach family) is a strong malicious signal. Sandbox execution shows the sample extracted and ran u.exe with proxy configuration arguments, contacted 20 external IP addresses directly without DNS resolution (a hallmark of C2 infrastructure evasion), and fetched encrypted payloads from AWS S3. The file exhibits multiple evasion techniques: UPX packing, debug-environment detection, and long-sleep anti-analysis loops. While UltraSurf is marketed as a legitimate circumvention tool, this sample's C2 beacon behaviour and direct-IP contact pattern indicate it is being used or has been modified for malicious command-and-control purposes.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=6/17 tier-1 engines; tier1FamilyConsensus.strong=true (BitDefender, Emsisoft, GData agree on 'application' family)

  2. Consistent threat naming across vendors: BitDefender 'Application.UltraSurf.E', DrWeb 'Tool.UltraSurf.17', ESET-NOD32 'Win32/UltraReach.AG', Fortinet 'Riskware/UltraReach'

  3. triggeredHeuristics: MalwareTips.Synth.DirectIpC2 fired — 20 external IPs contacted, zero domains; direct-IP C2 bypasses reputation systems

  4. Sandbox behaviour: extracted u.exe with proxy arguments (-L=127.0.0.1:9666), contacted S3 URLs for version.enc updates, launched iexplore.exe to ultrasurf.us

  5. File tags include 'upx', 'detect-debug-environment', 'via-tor', 'long-sleeps' — evasion and obfuscation indicators consistent with circumvention/proxy tools

Points in its favour
  • No malicious dropped children: 0/10 inspected child processes were malicious
  • No malicious contacted hosts: 2 inspected hosts in our URL cache were not flagged as malicious
  • Medium prevalence: 67 submissions over 8 years suggests known, established threat (not a novel exploit)
Points against
  • Tier-1 consensus: 6 high-trust engines agree on UltraSurf/UltraReach family
  • Direct-IP C2 contact: 20 external IPs contacted with zero DNS lookups (evasion pattern)
  • Evasion techniques: UPX packing, debug-environment detection, long-sleep anti-analysis
  • Encrypted payload updates: Fetches version.enc from AWS S3 (obfuscated C2 updates)
  • Proxy configuration: Sandbox shows u.exe launched with proxy arguments (-L=127.0.0.1:9666)
  • Negative reputation: File reputation score -14 across 50 submitters
What to do

Block and remove this file. UltraSurf is a known circumvention tool flagged by multiple tier-1 antivirus vendors; this sample exhibits direct-IP C2 beacon behaviour and evasion techniques consistent with malicious use. Do not execute or extract.

Threat family attribution

ultrasurf corroborated by 2 sources

  • VT (73 engines)
    ultrasurf
  • MT AI Engine
    UltraSurf
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
16

Adversary techniques mapped to the MITRE ATT&CK framework.

T1018T1027T1027.002T1036T1059T1071T1082T1083T1095T1185T1497T1499T1518.001T1560T1562.001T1573
Spawned processes
15
$(unnamed)
C:\Users\<USER>\Downloads\utmp\u.exe -L=127.0.0.1:9666 -CID=6b823e05, -ProgPath=C:\Users\<USER>\Downloads\\ -TmpPath=C:\Users\<USER>\Downloads\utmp\\ -ConnMode=0 -version=1802100
$(unnamed)
C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\download.zip
$(unnamed)
C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy" "C:\Users\user\Desktop\download.zip
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\u1802.exe
$(unnamed)
C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\u1802.exe
$(unnamed)
C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\utmp\u.exe -L="127.0.0.1:9666" -CID="44992509", -ProgPath="C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\\" -TmpPath="C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\utmp\\" -ConnMode=0 -version="…
$(unnamed)
C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" http://ultrasurf.us/search.htm
+7 more processes captured.
Network activity
25
IP addresses20
  • 8.8.8.8
  • 13.225.65.150
  • 172.253.63.99
  • 142.251.16.17
  • 172.253.115.17
  • 172.253.63.17
  • 108.138.125.5
  • 18.164.110.58
  • 172.253.122.106
  • 108.138.61.150
+10 more
URLs5
  • https://s3.amazonaws.com/ultrasurfus/version.enc
  • https://s3-ap-southeast-1.amazonaws.com/wujiesg/version.enc
  • https://s3.amazonaws.com/ultrasurfus/NC1503/omeouyvhp?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
  • https://s3.amazonaws.com/ultrasurfus/NC1503/xvsafssrt?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
  • https://s3.amazonaws.com/ultrasurfus/NC1503/nvgnxfnkt?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswnkkufnuxxzrzbmnmgqooketlyhnkoaugz
Filesystem & mutexes
29
Files written15
  • C:\Users\<USER>\Downloads\76ea
  • C:\Users\<USER>\Downloads\utmp\Mgzhvzywow7l6u1z
  • C:\Users\<USER>\Downloads\utmp\Skyoajkjlj5y2h0p
  • C:\Users\<USER>\Downloads\utmp\Onavrwctmq0e9s5p
  • C:\Users\<USER>\Downloads\utmp\u.exe
+10 more
Files deleted4
  • C:\Users\<USER>\Downloads\76ea
  • C:\Users\<USER>\Downloads\utmp\Cmdiudeiid0n4z2y
  • C:\Users\<USER>\Downloads\utmp\jsxhzrwjcwii
  • C:\Users\user\AppData\Local\Temp\hhy3wjtk.dfy\9f6
Mutexes created10
  • \Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex
  • \Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex
  • \Sessions\1\BaseNamedObjects\SmartScreen_AppRepSettings_Mutex
  • \Sessions\1\BaseNamedObjects\SmartScreen_ClientId_Mutex
  • \Sessions\1\BaseNamedObjects\CommunicationManager_Mutex
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • dfd0fcb063e58ad337a6395556Never scanned
    never seen before
  • d059b72229ac39ccc471e0acc3Never scanned
    never seen before
  • e9d846338b7e19b411b8e181c6Never scanned
    never seen before
  • dd786323b5c5846c0636db8baeNever scanned
    never seen before
  • e48e8488ceb0bef4b1675e5c3dNever scanned
    never seen before
  • 59f19f0658e8795eabe4061e3eNever scanned
    never seen before
  • 3e29e6cfb1f1ab2edf8d0d2a97Never scanned
    never seen before
  • d328567e869559df5e3be72c91Never scanned
    never seen before
  • 3f1f444abf08c79ed4fd06df5fNever scanned
    never seen before
  • fc0ee3e13916683b2e0568747bNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2medium

    Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    8.8.8.8 · 13.225.65.150 · 172.253.63.99
Antivirus engine breakdown

24 detections across 73 engines

24 malicious0 suspicious49 clean
Tier-117 engines
6flag
Top commercial AVs (low FP rate)
Tier-236 engines
13flag
Mainstream engines with mixed FP rates
Low-trust20 engines
5flag
Heuristic / generic-AI engines (high FP rate)
alibabacloud
malicious
Trojan:Win/UltraReach.AU
ALYac
malicious
Misc.HackTool.UltraSurf
Arcabit
malicious
Application.UltraSurf.E
BitDefender
malicious
Application.UltraSurf.E
ClamAV
malicious
Win.Virus.Pioneer-9255921-0
CTX
malicious
zip.trojan.ultrareach
DeepInstinct
malicious
MALICIOUS
DrWeb
malicious
Tool.UltraSurf.17
Elastic
malicious
malicious (moderate confidence)
Emsisoft
malicious
Application.UltraSurf.E (B)
ESET-NOD32
malicious
Win32/UltraReach.AG potentially unsafe application
Fortinet
malicious
Riskware/UltraReach
GData
malicious
Application.UltraSurf.E
Jiangmin
malicious
RiskTool.UltraSurf.l
Kingsoft
malicious
Win32.Troj.Generic.lc
Lionic
malicious
Trojan.ZIP.UltraSurf.4!c
Malwarebytes
malicious
Malware.AI.2017780830
NANO-Antivirus
malicious
Trojan.Win32.UltraReach.favuzy
Rising
malicious
Trojan.Injuke!8.10932 (CLOUD)
VBA32
malicious
BScope.Trojan.Downloader
VIPRE
malicious
Application.UltraSurf.E
Xcitium
malicious
ApplicUnwnt@#it5k9wk1wdmx
Yandex
malicious
Trojan.GenAsa!OJybGo5FLF8
Zillya
malicious
Trojan.Injuke.Win32.47223
Hash 553a3e1522e7… cross-referenced against 73 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
50
Moderate upload volume.
Total submissions
67
Includes repeat uploads by the same source.
First seen by VT
8y ago
Apr 23, 2018
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/23/2018, 11:49:21 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/22/2026, 5:32:57 AM
Scanned here
7/1/2026, 2:00:52 AM
File name
UltraSurf-18-02.zip
Size
3.35 MB
MIME type
(unknown)
Detected type
ZIP
SHA-256
553a3e1522e74db3dcfbf8792eb726aa28807bcbe7b3d9ebe45a865096302698
MD5
8cd443ef55eb274623d1ab3f454c0168
SHA-1
2f8b8f40e117f573c3774150cb10da3639d0b00d
First seen (VT)
4/23/2018, 11:49:21 PM
Last analysis (VT)
6/22/2026, 5:32:57 AM
First scan (MalwareTips)
7/1/2026, 2:00:52 AM
Last scan (MalwareTips)
7/1/2026, 2:00:52 AM
Community reputation
-14flagged
Behavior tags
upxchecks-user-inputchecks-network-adaptersdetect-debug-environmentvia-torlong-sleepscontains-pezip
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.