MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Malicious

Softonic-signed installer masquerading as Cubase; OfferCore adware family confirmed by 5 tier-1 engines; signer has 100% malicious history.

OfferCoreVerified · SOFTONIC INTERNATIONAL SA
Trust score18High risk
MT AI confidence · 92%
cubase-14.0.40-installer.exe
2.0 MB
77be81cb3805c7f4f77e753880e4
Antivirus engines
12 of 75 flagged
Code signing
Signed by SOFTONIC INTERNATIONAL SA
Age
First-seen today
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The evidence converges on a malicious bundler/downloader. Softonic's signer certificate carries a 100% malicious rate (0/2 safe, 2/2 malicious) in our historical database. Five tier-1 engines (ESET, Microsoft, DrWeb, Kaspersky, Symantec) flag the sample, with ESET and Microsoft explicitly naming OfferCore, a known PUA family. Our RAG system shows 2 prior verdicts of 'malicious' on files signed by the same Softonic certificate, both identified as OfferCore. The filename masquerades as a legitimate Cubase installer, but the Softonic signature reveals this is a repackaged installer designed to bundle adware. The combination of signer history, tier-1 family consensus, and RAG corroboration strongly indicates malicious intent.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. signing.signer='SOFTONIC INTERNATIONAL SA', signerStats: 0/2 safe, 2/2 malicious (100% malicious rate, autoTrusted=false)

  2. similarHashes: 2/4 prior verdicts 'malicious' (matchKind=signer) with reason=ai:malware_family_offercore, same signer, same family

  3. tier-1 engines: DrWeb (Adware.Downware.20879), ESET (Win32/OfferCore.E PUA), Microsoft (PUADlManager:Win32/OfferCore), Kaspersky (HEUR:Downloader.Win32.Softonic.gen), Symantec (ML.Attribute.HighConfidence) — 5/5 tier-1 malicious

  4. popularThreatLabel='adware.offercore/softonic', threat family OfferCore confirmed by multiple tier-1 engines

  5. Filename claims 'cubase' (Steinberg audio software) but signed by Softonic (known bundler); brand mismatch pattern: legitimate product name + malicious signer

Points in its favour
  • File is digitally signed (verified by Authenticode)
  • No dropped malicious children detected
  • No malicious contacted hosts in our URL cache
  • No external intelligence hits (CIRCL, YARAify, MalwareBazaar all negative)
Points against
  • Signer (Softonic International SA) has 100% malicious history in our database
  • Five tier-1 antivirus engines flag as malicious; OfferCore family confirmed by ESET and Microsoft
  • Filename masquerades as legitimate Cubase installer; brand mismatch with Softonic signer
  • OfferCore is a known adware/PUA bundler family
  • Rare new file (age 0 days, 1 submission) — likely a newly repackaged variant
  • No sandbox behaviour data available, but static signer + family evidence is strong
What to do

Block and quarantine this file. Do not execute. If you need Cubase, download directly from Steinberg's official website. Softonic-signed installers are known bundlers of adware; this sample's OfferCore family identification by multiple tier-1 engines confirms malicious intent.

Threat family attribution

offercore corroborated by 2 sources

  • VT (75 engines)
    offercore
  • MT AI Engine
    OfferCore
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

12 detections across 75 engines

12 malicious0 suspicious63 clean
Tier-117 engines
5flag
Top commercial AVs (low FP rate)
Tier-238 engines
4flag
Mainstream engines with mixed FP rates
Low-trust20 engines
3flag
Heuristic / generic-AI engines (high FP rate)
AhnLab-V3
malicious
PUP/Win.Generic.R752265
CrowdStrike
malicious
win/grayware_confidence_60% (D)
DrWeb
malicious
Adware.Downware.20879
Elastic
malicious
malicious (high confidence)
ESET-NOD32
malicious
Win32/OfferCore.E potentially unwanted application
K7AntiVirus
malicious
Unwanted-Program ( 005ce0ab1 )
K7GW
malicious
Unwanted-Program ( 005ce0ab1 )
Kaspersky
malicious
not-a-virus:HEUR:Downloader.Win32.Softonic.gen
Malwarebytes
malicious
PUP.Optional.Softonic
Microsoft
malicious
PUADlManager:Win32/OfferCore
Symantec
malicious
ML.Attribute.HighConfidence
Webroot
malicious
Win.Adware.Com
Hash 77be81cb3805… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy10 sections
.text
6.39
.itext
6.04
.data
5.18
.bss
0.00
.idata
4.82
.didata
2.76
.edata
1.34
.tls
0.00
.rdata
1.38
.reloc
6.70
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new
Unique uploaders
1
Very few people have ever uploaded this — rare.
Total submissions
1
Includes repeat uploads by the same source.
First seen by VT
0d ago
Jun 15, 2026
Prevalence quadrant
here
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/15/2026, 4:23:36 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/15/2026, 4:23:36 AM
Scanned here
6/15/2026, 4:24:31 AM
File name
cubase-14.0.40-installer.exe
Size
2.03 MB
MIME type
application/x-msdownload
Detected type
Win32 EXE
SHA-256
77be81cb3805c7f4f777b030160f40c7dda226f7728ed2c0ab3ec97e753880e4
MD5
21ec8bcceda551a87bb21e1055ebc651
SHA-1
39b62a30d24890b4c2cfb972c5d83cc4b9afa588
PE imphash
88016fcdef7f227c62171d0afad9aae4
First seen (VT)
6/15/2026, 4:23:36 AM
Last analysis (VT)
6/15/2026, 4:23:36 AM
First scan (MalwareTips)
6/15/2026, 4:24:31 AM
Last scan (MalwareTips)
6/15/2026, 4:24:31 AM
Code signer
SOFTONIC INTERNATIONAL SAverified
Behavior tags
peexeoverlaysigned
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.