Suspicious
Unsigned self-extracting installer showing process-injection and direct-IP behaviour with only low-trust detections and mixed sandbox signals.
6472de894c5cb6050f…cbb90e6ec6The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The engine picture is low-trust only with zero tier-1 malicious detections, which normally leans safe, but the behavioural heuristics and sandbox traces show clear offensive techniques including process injection and credential-store access. The file is unsigned with no signer history, yet it is a very old, widely submitted 7-Zip SFX installer. Community sandbox reports are mostly clean or low-suspicion. These opposing signals place the sample in mixed territory rather than a clear safe or malicious call.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 2/70 malicious (APEX, Trapmine low_trust only); tier1Malicious=0; 17 tier-1 clean
behaviour.offensiveTechniques: T1055, T1543.003, T1547.001, T1548; triggeredHeuristics: MalwareTips.Synth.ProcessInjection (high), CredentialDumper, DirectIpC2
prevalence.classification=common_old; 3612 unique sources since 2016-03-03
signing.signed=false; no signerStats history
communityComments: multiple Joe Sandbox CLEAN verdicts (scores 13-16/100)
- Zero tier-1 malicious detections
- Common-old prevalence (3612 sources)
- Multiple clean Joe Sandbox reports
- No malicious dropped children
- No malicious contacted hosts
- Unsigned binary
- Process injection (T1055) observed
- Direct-IP contacts without DNS
- LSASS memory access in sandbox
- Adversarial comment flag present
Treat as suspicious pending further analysis; isolate and re-verify before any execution.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 192.168.0.167
- 209.197.3.8
- 131.253.33.203
- 8.252.68.126
- 192.168.0.32
- 192.168.0.35
- a83f:8110:1800:0:200:0:0:0
- 23.216.147.76
- 20.80.129.13
- 23.216.147.64
- C:\Users\<USER>\AppData\Local\Temp\7zSEE38.tmp\PatchCleaner.msi
- C:\Users\<USER>\AppData\Local\Temp\7zSEE38.tmp\setup.exe
- C:\Users\<USER>\AppData\Local\Temp\VSDF1A3.tmp\install.log
- C:\Users\<USER>\AppData\Local\Temp\CFG14EA.tmp
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Windows\SysWOW64\MsiWerCrashmetadata-41
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER217D.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2238.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2268.tmp.txt
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2844.tmp.WERInternalMetadata.xml
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 4d6d882e86a8b94b63c4…8e8d5aNever scannednever seen before
- adf737e044c8125286b7…c723d4Never scannednever seen before
- c43f57c1aff7a3571fb8…4df164Never scannednever seen before
- f5ba88b4a9928b710c9d…e65b6cNever scannednever seen before
- e1c84c55cd245d0b487c…053c62Never scannednever seen before
- bb5a1d709ddba97bb438…d77afaNever scannednever seen before
- 2099f0854585b2115e09…0d7b95Never scannednever seen before
- 3096d8e82917a9b73f32…3cdd5bNever scannednever seen before
- 30e621d2720a1f8b727f…44e8bcNever scannednever seen before
- f2f69d75c8e2d790026c…f926e9Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 16 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence209.197.3.8 · 131.253.33.203 · 8.252.68.126
2 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- 7zS.sfx.exe
- Size
- 1.26 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
- MD5
- 70d0bd7633d10c492839272c97b2544e
- SHA-1
- 4da0e8c2fe1f06b13985d700fe15686a1015c3bb
- PE imphash
- 3786a4cf8bfee8b4821db03449141df4
- First seen (VT)
- 3/3/2016, 9:15:06 AM
- Last analysis (VT)
- 7/10/2026, 10:43:34 AM
- First scan (MalwareTips)
- 7/10/2026, 7:25:34 PM
- Last scan (MalwareTips)
- 7/10/2026, 7:25:34 PM
- Community reputation
- +113trusted
Safety FAQ
Common questions about 7zS.sfx.exe, answered from the scan data above.
- 7zS.sfx.exe is suspicious — treat it as unsafe until you're sure. 2 of 74 antivirus engines flag it, which isn't a strong consensus but is enough to be cautious. Don't run it unless you fully trust where it came from, and prefer downloading the software fresh from its official site.
- 7zS.sfx.exe is a Windows executable program, about 1.3 MB. We identify a file by its cryptographic hash rather than its name, because the same filename can be reused by completely different files — the hash below is the reliable fingerprint.
- 2 of 74 antivirus engines flagged 7zS.sfx.exe, 2 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
- To remove 7zS.sfx.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original 7zS.sfx.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
- The SHA-256 hash of 7zS.sfx.exe is 6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6, and its MD5 is 70d0bd7633d10c492839272c97b2544e. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- This report reflects the scan run on July 10, 2026. Because a file's hash never changes, the identity of 7zS.sfx.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.