Suspicious
Unsigned JAR shows process-injection and direct-IP contact despite zero engine detections.
65dfc6f67a3c38ad81…9555b5733eThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
All 64 reporting engines returned clean, including 17 tier-1 engines, producing a strong negative signal. However the sandbox recorded three offensive MITRE techniques and triggered two high/medium heuristics for reflective injection and DNS-less C2. The JAR is unsigned, three days old, and has no prior similar-hash verdicts. These contradictory signals place the file in mixed-signals territory rather than clean or confirmed malicious.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=0 and engines.malicious=0 across 64 reporting engines
behaviour.offensiveTechniques includes T1055 (Process Injection) and triggeredHeuristics[0].rule=MalwareTips.Synth.ProcessInjection
behaviour.contactedIps=["162.159.36.2"] with zero contactedDomains — MalwareTips.Synth.DirectIpC2 fired
signing.verified=false (unsigned) and prevalence.classification=medium
droppedChildren.hasMaliciousChild=false and externalIntel.yaraify.ruleCount=0
- Zero malicious detections across 64 engines
- 17 tier-1 engines reported clean
- No malicious dropped children
- No external intelligence hits
- Process injection (T1055) observed in sandbox
- Direct-IP contact without DNS resolution
- Unsigned JAR with numeric version in filename
- Three-day file age and medium prevalence
Treat as suspicious; isolate and monitor before any production use.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\5320
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8786.timestamp
- C:\Users\user\AppData\Local\Temp\hsperfdata_user
- C:\Users\user\AppData\Local\Temp\hsperfdata_user\6820
- /tmp/hsperfdata_root/3593
Files this sample writes at runtime
This file drops 9 children at runtime. None are currently flagged malicious in our cache.
- e62985d777e884110d6d…83830cNever scannednever seen before
- b4c7432e9c77e74232cd…86d63aNever scannednever seen before
- fb8ca83a9e7b787c90e3…6126b0Never scannednever seen before
- b468bf508c1b034631c5…457d6eNever scannednever seen before
- d87c5f3cdfb5b7c0510e…1ade9eNever scannednever seen before
- 61625fd8b084f70f242d…55abd2Never scannednever seen before
- 50c82f36208ed8040447…2d7843Never scannednever seen before
- 8e8711854186c68e2368…4a3c7cNever scannednever seen before
- 759aafcfa2395ce1b800…2af0f7Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\<USER>\Desktop\download.jar"Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 74 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- BK-Client2.4.jar
- Size
- 27.18 MB
- MIME type
- (unknown)
- Detected type
- JAR
- SHA-256
- 65dfc6f67a3c38ad81a8050ed5e0107babeb645e77e508e209efb19555b5733e
- MD5
- c98023c17e387d6a78599cc7583161da
- SHA-1
- d59b85996038976f59c2cf98bc5e5d6d9b05e935
- First seen (VT)
- 7/6/2026, 3:17:18 PM
- Last analysis (VT)
- 7/6/2026, 3:17:18 PM
- First scan (MalwareTips)
- 7/9/2026, 7:41:54 AM
- Last scan (MalwareTips)
- 7/9/2026, 7:41:54 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.