MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned binary with zero engine detections but direct-IP C2 heuristic fired; IPs are Microsoft Azure ranges, suggesting legitimate telemetry rather than malware.

Trust score52Caution
MT AI confidence · 62%
primal-light.exe
35.1 MB
7a17425bb9911f2b9ce75908eb01
Antivirus engines
0 of 76 flagged
Code signing
Unsigned
Age
First seen 4y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence
Moderate
Reasoning

This file presents a conflict between engine consensus and a single heuristic signal. Zero detections across 72 reporting engines (including 17 tier-1 vendors) is a strong benign indicator, especially for a file submitted 13 times over 1499 days. The direct-IP C2 heuristic fired because the sample contacted external IPs without DNS queries — a valid malware pattern in principle. However, the IPs (20.99.132.105, 23.216.147.64, 20.80.129.13, 131.253.33.203) are Microsoft Azure infrastructure, not typical attacker C2 servers. No sandbox malicious verdict, no dropped malicious children, no malicious host contacts, and no external researcher corroboration (CIRCL, MalwareBazaar, YARAify all negative) further support a benign classification. The unsigned status and lack of signer history are neutral given the file's age and prevalence.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/72 malicious (tier1Malicious=0, tier1FamilyConsensus.strong=false) — universal engine silence across tier-1, tier-2, and low-trust tiers

  2. signing.verified=false, unsigned, no signer history — but file age 1499 days and medium prevalence (10 submitters) suggest established commodity software

  3. triggeredHeuristics: MalwareTips.Synth.DirectIpC2 fired (medium severity) — contacted 4 IPs (20.99.132.105, 23.216.147.64, 20.80.129.13, 131.253.33.203) with zero domains

  4. behaviour.offensiveCount=0, no MITRE techniques exclusive to malware; ambient techniques (T1027, T1071, T1082, T1574.002) are benign-common

  5. behaviour.hasMaliciousSandboxVerdict=false, droppedChildren=null, contactedHosts=null, externalIntel all negative (CIRCL, MalwareBazaar, YARAify no hits)

Points in its favour
  • Zero detections across 76 antivirus engines (tier1Malicious=0)
  • No tier-1 family consensus on any malware
  • Contacted IPs are Microsoft Azure ranges (legitimate cloud infrastructure)
  • No malicious sandbox verdict, no dropped malicious children, no malicious host contacts
  • 1499-day file age with medium prevalence (13 submissions, 10 unique sources) suggests established software
Points against
  • Direct-IP contact without DNS queries (heuristic flag: MalwareTips.Synth.DirectIpC2)
  • Unsigned binary with no signer history
  • Large file size (36 MB) with high-entropy code sections
  • Ambient MITRE techniques present (T1027, T1071, T1082, T1574.002)
What to do

This file is likely benign or a false positive on the direct-IP heuristic. The universal engine silence and Microsoft Azure IP contact pattern are inconsistent with known malware. If you recognize the application, verify its source and publisher; if uncertain, monitor execution in an isolated environment before deployment.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
5

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1071T1082T1574.002
Spawned processes
3
$(unnamed)
%SAMPLEPATH%\square_journey.exe
$(unnamed)
C:\Windows\System32\wuapihost.exe
$(unnamed)
%SAMPLEPATH%\7a17425bb9911f2b9c580d6889e81eb2f9dce03042700cbb2a92e3e75908eb01.exe
Network activity
4
IP addresses4
  • 20.99.132.105
  • 23.216.147.64
  • 20.80.129.13
  • 131.253.33.203
Filesystem & mutexes
15
Files deleted15
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C5C.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D08.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D38.tmp.txt
  • C:\Windows\System32\spp\store\2.0\cache\cache.dat
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER3053.tmp.WERInternalMetadata.xml
+10 more
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 4 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    20.99.132.105 · 23.216.147.64 · 20.80.129.13
Antivirus engine breakdown

0 detections across 76 engines

0 malicious0 suspicious76 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust21 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 76 engines report this file as clean.
Hash 7a17425bb991… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy8 sections
.text
6.49
.rdata
6.26
.data
4.71
.pdata
6.77
_RDATA
2.92
pck
0.00
.rsrc
4.04
.reloc
5.48
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
10
Moderate upload volume.
Total submissions
13
Includes repeat uploads by the same source.
First seen by VT
4y ago
May 20, 2022
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/20/2022, 12:20:27 PM
First seen (MalwareBazaar)
Last analysis (VT)
10/5/2025, 2:25:07 PM
Scanned here
6/27/2026, 3:33:56 PM
File name
primal-light.exe
Size
35.05 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
7a17425bb9911f2b9c580d6889e81eb2f9dce03042700cbb2a92e3e75908eb01
MD5
9331aa21548c8ac89161f21ec17acb46
SHA-1
5336f9346d295d2194af6d2dd126368bcf31e83f
PE imphash
5e6bacfbb04af5bbb7584ee45b1b436b
First seen (VT)
5/20/2022, 12:20:27 PM
Last analysis (VT)
10/5/2025, 2:25:07 PM
First scan (MalwareTips)
6/27/2026, 3:33:56 PM
Last scan (MalwareTips)
6/27/2026, 3:33:56 PM
Behavior tags
peexe64bitsassembly
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.