Malicious
Five tier-1 engines identify OfferCore adware; signer-matched prior sample verdicted malicious; rare-new file with no exonerating behaviour.
72d1a1020553defb17…67102787f3The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample exhibits strong malicious signals across multiple detection vectors. Five tier-1 engines converge on adware/PUA classification, with Microsoft and ESET explicitly naming OfferCore, a known potentially unwanted application family. The signer-matched RAG entry (b5cea4d097ed…) was previously verdicted malicious for the same OfferCore family under the same publisher, establishing a pattern. The filename '3utools-9.06.006-installer.exe' does not correspond to Softonic's legitimate product line, suggesting repackaging or brand spoofing. The file is brand-new (0 days old, 1 submission) with no signer reputation history in our database, and no sandbox execution data or external intelligence provides exonerating evidence. While one tier-1 engine (Kaspersky) applied a testFile label, the other four tier-1 detections lack this marker, indicating genuine adware rather than test-file confusion.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
5/17 tier-1 engines malicious: DrWeb (Adware.Downware.20879), ESET (Win32/OfferCore.E PUA), Microsoft (PUADlManager:Win32/OfferCore), Kaspersky (HEUR:Downloader.Win32.Softonic.gen), Symantec (ML.Attribute.HighConfidence)
similarHashes[0]: signer-matched prior verdict 'malicious' (ai:malware_family_offercore, OfferCore, 12/75 engines) for 'SOFTONIC INTERNATIONAL SA' — same signer, same engine count, same family
Implicit brand mismatch: filename '3utools-9.06.006-installer.exe' (third-party iOS tool) signed by 'SOFTONIC INTERNATIONAL SA' (unrelated publisher); signerStats.found=false (no historical reputation)
prevalence.classification='rare_new' (1 submission, 0 days old) — brand-new file with no established signer history
No exonerating behaviour: behaviour=null, droppedChildren=null, contactedHosts=null, externalIntel all negative
- File is digitally signed (verified by Authenticode)
- No dropped malicious children detected
- No contact with known malicious hosts
- Five tier-1 antivirus engines flag as adware/PUA
- OfferCore family identified by multiple engines (Microsoft, ESET)
- Signer-matched prior sample verdicted malicious for same family
- Filename (3utools) does not match signer's known products — brand mismatch
- Rare-new file (0 days old, 1 submission) with no signer reputation history
- No sandbox execution data or external intelligence to corroborate benign behaviour
Block and quarantine this file. The convergence of tier-1 engine detections, signer-matched malicious history, and brand mismatch strongly indicate OfferCore adware. Do not execute or trust the signature alone, as the publisher's prior samples were malicious.
offercore corroborated by 2 sources
- VT (75 engines)offercore
- MT AI EngineOfferCore
12 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- 3utools-9.06.006-installer.exe
- Size
- 2.03 MB
- MIME type
- application/x-msdownload
- Detected type
- Win32 EXE
- SHA-256
- 72d1a1020553defb17e87b311fab15c96076959bcce805669306cc67102787f3
- MD5
- 4898819536428897b9ef6612c7bde7af
- SHA-1
- 9122d6139cad20ae576f1aadde929d25b86ad2f7
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 6/8/2026, 10:21:35 PM
- Last analysis (VT)
- 6/8/2026, 10:21:35 PM
- First scan (MalwareTips)
- 6/8/2026, 10:22:37 PM
- Last scan (MalwareTips)
- 6/8/2026, 10:22:37 PM
- Code signer
- SOFTONIC INTERNATIONAL SAverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.