MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned DLL with process injection, direct-IP C2, and anti-debug YARA matches, but tier-1 engines silent on a 2043-day-old common file.

Trust score58Caution
MT AI confidence · 62%
soft_oal.dll
1.7 MB
5a42440a18a75ce58856d871db42
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 6y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence
Moderate
Reasoning

The evidence presents a genuine conflict. On one hand, the behavioural indicators are severe: process injection, reflective code loading, anti-debug checks, and direct-IP C2 contact are hallmarks of evasive malware. Five community YARA rules converged on anti-debug and code-injection patterns, and FileScan.IO independently flagged it 'LIKELY_MALICIOUS' with 100% confidence. On the other hand, tier-1 engines (Kaspersky, BitDefender, ESET, Fortinet, Avast, Emsisoft, Ikarus, DrWeb, F-Secure, GData, Avira, AVG) all report clean, and the file has been widely distributed (2933 submitters, 4055 submissions) since 2020 without triggering signature-based detection. No malicious sandbox verdict was recorded, and dropped children are unknown, not malicious. The most likely explanations are: (1) a legitimate research or debugging tool (possibly OpenAL-related, given the filename 'soft_oal.dll') that uses anti-debug and code-injection patterns for legitimate purposes, or (2) sophisticated malware with evasion that bypasses signatures but is caught by heuristic and YARA analysis. The tier-1 silence and high prevalence favour (1), but the strong behavioural signals and community verdict favour (2). This is a borderline case requiring manual review.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET, Fortinet, Emsisoft, Ikarus, DrWeb, F-Secure, GData, Avira, AVG) — no tier-1 consensus family, but also no tier-1 malicious flags

  2. behaviour.offensiveTechniques: T1055 (process injection), T1055.003 (reflective DLL), T1562.001 (disable defences), T1620 (reflective code loading) — 4 offensive MITRE techniques

  3. behaviour.contactedIps: 135.233.45.222 (direct-IP C2, no DNS) — bypasses reputation systems and domain blocklists

  4. yaraify.ruleCount=5: Check_OutputDebugStringA_iat, DebuggerCheck__API, pe_detect_tls_callbacks, SEH__vectored, ThreadControl__Context — community researchers matched anti-debug and code-injection patterns

  5. communityComments: FileScan.IO verdict 'LIKELY_MALICIOUS' (100% confidence) with tags anti-debug, lolbin, shell32, pedll — independent corroboration

Points in its favour
  • 17 tier-1 antivirus engines report clean (Kaspersky, BitDefender, ESET, Fortinet, Avast, Emsisoft, Ikarus, DrWeb, F-Secure, GData, Avira, AVG)
  • Common_old prevalence: 4055 submissions from 2933 unique sources since 2020 — widely distributed without mass-detection
  • No malicious sandbox verdict recorded
  • No malicious dropped children (3 inspected, all unknown verdict)
  • No malicious contacted hosts in our URL cache
Points against
  • Process injection (T1055, T1055.003) — payload smuggled into legitimate process to bypass AV hooks
  • Direct-IP C2 contact (135.233.45.222) without DNS — bypasses reputation systems and domain blocklists
  • Anti-debug checks (OutputDebugStringA, DebuggerCheck API) — evasion technique to detect analysis environment
  • Reflective code loading (T1620) — in-memory code execution to avoid disk detection
  • Disable defences (T1562.001) — attempt to neutralise security controls
  • Five community YARA rules matched — anti-debug, TLS callbacks, SEH vectored exception handling, thread context manipulation
What to do

This file requires manual security review due to conflicting signals. If encountered unexpectedly, isolate the system and perform a full malware scan. If you are a researcher or developer, verify the file's legitimate purpose (it may be an OpenAL library or debugging tool) before execution in any environment.

Threat family attribution

Check OutputDebugStringA iat corroborated by 1 source

  • 5 YARA rules
    Check_OutputDebugStringA_iat, DebuggerCheck__API, pe_detect_tls_callbacks
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
16

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1055T1055.003T1056T1057T1071T1082T1083T1123T1129T1218.011T1497T1518.001T1562.001T1573T1620
Spawned processes
15
$(unnamed)
"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\library.dll",#1
$(unnamed)
C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\attachment.dll"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\attachment.dll",#1
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,alAuxiliaryEffectSlotPlaySOFT
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,alAuxiliaryEffectSlotPlayvSOFT
$(unnamed)
C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\attachment.dll,alAuxiliaryEffectSlotStopSOFT
+7 more processes captured.
Network activity
1
IP addresses1
  • 135.233.45.222
Filesystem & mutexes
2
Files written1
  • \Device\ConDrv\\Connect
Mutexes created1
  • \Sessions\1\BaseNamedObjects\DBWinMutex
Dropped payload

Files this sample writes at runtime

This file drops 3 children at runtime. None are currently flagged malicious in our cache.

3 unseen
  • 8df0190608b744da48b3f5a6cbNever scanned
    never seen before
  • 92bf2ae2683a42ed4c1f21635bNever scanned
    never seen before
  • 3c269b4937d5ae31eb0ee7f261Never scanned
    never seen before
External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·5 community rules matchedView on YARAify
  • Check_OutputDebugStringA_iat
  • DebuggerCheck__API
  • pe_detect_tls_callbacks
  • SEH__vectored
  • ThreadControl__Context
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

5 YARAify2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
YARAify (community)
Researcher-authored rules via abuse.ch
  • Check_OutputDebugStringA_iat
  • DebuggerCheck__API
  • pe_detect_tls_callbacks
  • SEH__vectored
  • ThreadControl__Context
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\library.dll",#1
  • DirectIpC2
    T1071
    medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    135.233.45.222
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 5a42440a18a7… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy10 sections
.text
6.26
.data
0.60
.rdata
6.26
.pdata
6.05
.xdata
5.23
.bss
0.00
.edata
5.25
.idata
4.50
.CRT
0.26
.tls
0.00
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
2,933
Hundreds of people have uploaded this — common.
Total submissions
4,055
Includes repeat uploads by the same source.
First seen by VT
6y ago
Nov 5, 2020
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
11/5/2020, 7:01:48 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/10/2026, 12:17:51 AM
Scanned here
6/10/2026, 9:31:18 AM
File name
soft_oal.dll
Size
1.69 MB
MIME type
(unknown)
Detected type
Win32 DLL
SHA-256
5a42440a18a75ce588659158d74d26ab1850eabd34f3b25abd969a56d871db42
MD5
ff08ba3a9dfe6bd0b26f9055094c9550
SHA-1
2dd9130b6dd4c49864635b1b7cc4a93ebcdd5e17
PE imphash
31b92c8d254efbdb21daa422d2e38a77
First seen (VT)
11/5/2020, 7:01:48 AM
Last analysis (VT)
6/10/2026, 12:17:51 AM
First scan (MalwareTips)
6/10/2026, 9:31:18 AM
Last scan (MalwareTips)
6/10/2026, 9:31:18 AM
Behavior tags
assemblychecks-user-inputpedll64bitsdetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.