File verdict·Decided by the MT AI Engine
Our call

Malicious

14 tier-1 antivirus engines converge on Agent Tesla RAT family; direct-IP C2 beaconing, reflective code loading, and packed dropper profile confirm malware.

Agent TeslaVerified · CMD Softworks LLC
Trust score8Critical
MT AI confidence · 96%
Bootstrapper.exe
8.3 MB
82e8904fd500c596b0eba1ba2316
Antivirus engines
41 of 74 flagged
Code signing
Signed by CMD Softworks LLC
Age
First seen 3mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

96%Confidence
Very high
Reasoning

The evidence overwhelmingly indicates a genuine malware sample, not a false positive. Tier-1 consensus (Avast, AVG, Avira, Microsoft, ESET, Sophos, Emsisoft, BitDefender, GData, F-Secure, TrendMicro, and others) converge on named malware families including Agent Tesla, Malgent, and HackTool.BHP. The file exhibits two offensive MITRE techniques (T1562.001 Impair Defenses, T1620 Reflective Code Loading) alongside 16 ambient techniques consistent with reconnaissance and evasion. Sandbox analysis captured direct-IP C2 communication to two external addresses without DNS queries — a strong malware evasion pattern. The file is packed with high entropy (7.53), signed by an unverified publisher with no historical samples, and flagged by our heuristic engine as a signed dropper pattern. Community researchers consistently tag the sample as malicious/spyware/trojan. No indicators of false positive (no test-file label, no AV-on-AV filename, no brand mismatch, no low-trust-only flagging).

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=14/17 tier-1 engines; tier1FamilyConsensus.strong=true (win64 family, 3 engines agreeing)

  2. Named families across engines: Trojan.GameHack, Malgent, Agent_AGen, HackTool.BHP (BitDefender, Emsisoft, GData tier-1)

  3. Offensive MITRE techniques T1562.001 (Impair Defenses) + T1620 (Reflective Code Loading) observed in sandbox

  4. triggeredHeuristics: DirectIpC2 (medium) — contacted 2 external IPs, zero domains (C2 evasion pattern); DropperNetworkProfile (high) — packed + signed + flagged binary

  5. signing.verified=true but signerStats.found=false (no signer history); SuspiciousSignerCN heuristic fired (generic 'CMD Softworks LLC' CN paired with 41 engine hits)

Points in its favour
  • File is digitally signed (reduces likelihood of unsigned malware)
  • No dropped children detected in sandbox (some droppers are stealthier)
  • Contacted IPs not yet in our known-malicious reputation cache
Points against
  • Tier-1 antivirus consensus on Agent Tesla RAT family (14 engines)
  • Direct-IP command-and-control communication without DNS (C2 evasion)
  • Reflective code loading (T1620) and defensive evasion (T1562.001) observed
  • Packed binary with very high entropy (7.534) indicating obfuscation
  • Signed by unverified publisher with no signer history; suspicious generic company name
  • Signed dropper pattern: packed + network activity + widespread engine detections
What to do

Quarantine and remove this file immediately. If executed, assume system compromise and initiate incident response: change credentials, scan for persistence, monitor for data exfiltration. Do not trust the digital signature; the certificate appears to be either stolen, fraudulent, or purchased from a reseller and used for malware distribution.

Threat family attribution

gamehack corroborated by 2 sources

  • VT (74 engines)
    gamehack
  • MT AI Engine
    Agent Tesla
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
18

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1033T1057T1070T1070.006T1071T1082T1083T1087T1112T1140T1497T1539T1553T1562.001T1620
Spawned processes
2
$(unnamed)
"C:\Users\<USER>\Desktop\BootstrapperNew.exe"
$(unnamed)
"C:\Users\user\Desktop\BootstrapperNew.exe"
Network activity
6
IP addresses2
  • 3.168.51.54
  • 162.159.36.2
URLs4
  • http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
  • http://ocsps.ssl.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCCGQzUdPHOJ8I
  • http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSOf8DjMnuwFThpZh9bv9IoPvmNMAQUVML%2BEJUAk81q9efA19myS7iPDOMCEFzJU28f9UIJglC2ZDyrwDk%3D
  • http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSOf8DjMnuwFThpZh9bv9IoPvmNMAQUVML+EJUAk81q9efA19myS7iPDOMCEFzJU28f9UIJglC2ZDyrwDk=
Filesystem & mutexes
3
Files written1
  • C:\Users\user\AppData\Roaming
Mutexes created2
  • \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
  • \Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Execution× 1Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2medium

    Sample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    3.168.51.54 · 162.159.36.2
  • SuspiciousSignerCNlow

    Signed by "CMD Softworks LLC" — short generic company CN. Paired with 41 engine hit(s); possible stolen, fraudulent, or reseller-purchased code-signing certificate.

    Evidence
    CMD Softworks LLC
  • DropperNetworkProfilehigh

    Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.

    Evidence
    http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
Antivirus engine breakdown

41 detections across 74 engines

41 malicious0 suspicious33 clean
Tier-117 engines
14flag
Top commercial AVs (low FP rate)
Tier-238 engines
20flag
Mainstream engines with mixed FP rates
Low-trust19 engines
7flag
Heuristic / generic-AI engines (high FP rate)
AhnLab-V3
malicious
Unwanted/Win.GameHack.C5867446
Alibaba
malicious
Trojan:Win32/Malgent.26a3fed4
alibabacloud
malicious
HackTool:Win/Agent_AGen.NWT
ALYac
malicious
IL:Application.Hacktool.BHP
Arcabit
malicious
IL:Application.Hacktool.BHP
Avast
malicious
Win64:MalwareX-gen [Trj]
AVG
malicious
Win64:MalwareX-gen [Trj]
Avira
malicious
TR/W64.MalwareX
BitDefender
malicious
IL:Application.Hacktool.BHP
CAT-QuickHeal
malicious
Trojan.GameHack
CTX
malicious
exe.trojan.malgent
Cylance
malicious
Unsafe
Elastic
malicious
malicious (high confidence)
Emsisoft
malicious
IL:Application.Hacktool.BHP (B)
ESET-NOD32
malicious
Win64/Agent_AGen.NCY trojan
F-Secure
malicious
Trojan.TR/W64.MalwareX
Fortinet
malicious
Riskware/Application
GData
malicious
IL:Application.Hacktool.BHP
Gridinsoft
malicious
Hack.Win64.Patcher.cl
K7AntiVirus
malicious
Unwanted-Program ( 700000211 )
K7GW
malicious
Unwanted-Program ( 700000211 )
Kingsoft
malicious
Win32.Troj.malgent.v
Lionic
malicious
Trojan.Win32.GameHack.4!c
Malwarebytes
malicious
RiskWare.GameHack
MaxSecure
malicious
Trojan.Malware.325357590.susgen
Microsoft
malicious
Trojan:Win32/Malgent!MSR
MicroWorld-eScan
malicious
IL:Application.Hacktool.BHP
Paloalto
malicious
generic.ml
Panda
malicious
Trj/CI.A
Skyhigh
malicious
Artemis!Trojan
Sophos
malicious
Mal/Generic-S
Symantec
malicious
ML.Attribute.HighConfidence
Tencent
malicious
Malware.Win32.Gencirc.10c47e02
TrellixENS
malicious
Artemis!C9F1C55B26E7
TrendMicro
malicious
Trojan.Win32.ZYX.USBLEG26
TrendMicro-HouseCall
malicious
Trojan.Win32.ZYX.USBLEG26
Varist
malicious
W64/ABApplication.IUCS-1953
VIPRE
malicious
IL:Application.Hacktool.BHP
Webroot
malicious
Win.Trojan.Gen
Xcitium
malicious
Malware@#2egnee8w1kiwj
Zillya
malicious
Trojan.AgentAGen.Win64.43051
Hash 82e8904fd500… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

ent 7.53Likely packed
Section entropy2 sections
.text
7.96packed
.rsrc
5.34
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
3,711
Hundreds of people have uploaded this — common.
Total submissions
15,242
Includes repeat uploads by the same source.
First seen by VT
3mo ago
Apr 7, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/7/2026, 4:36:07 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/3/2026, 9:56:15 AM
Scanned here
7/3/2026, 1:04:53 PM
File name
Bootstrapper.exe
Size
8.27 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
82e8904fd500c596b04786124a0515f1ecb9b9fc8b2187e449c30eeba1ba2316
MD5
c9f1c55b26e7f781b65a96ea8190517d
SHA-1
dad71e6ac2ad9e3ce30152f993d0c765008c6b5a
First seen (VT)
4/7/2026, 4:36:07 AM
Last analysis (VT)
7/3/2026, 9:56:15 AM
First scan (MalwareTips)
7/3/2026, 1:04:53 PM
Last scan (MalwareTips)
7/3/2026, 1:04:53 PM
Code signer
CMD Softworks LLCverified
Community reputation
-78flagged
Behavior tags
64bitssignedassemblyoverlaypeexedetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.