Malicious
14 tier-1 antivirus engines converge on Agent Tesla RAT family; direct-IP C2 beaconing, reflective code loading, and packed dropper profile confirm malware.
82e8904fd500c596b0…eba1ba2316The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence overwhelmingly indicates a genuine malware sample, not a false positive. Tier-1 consensus (Avast, AVG, Avira, Microsoft, ESET, Sophos, Emsisoft, BitDefender, GData, F-Secure, TrendMicro, and others) converge on named malware families including Agent Tesla, Malgent, and HackTool.BHP. The file exhibits two offensive MITRE techniques (T1562.001 Impair Defenses, T1620 Reflective Code Loading) alongside 16 ambient techniques consistent with reconnaissance and evasion. Sandbox analysis captured direct-IP C2 communication to two external addresses without DNS queries — a strong malware evasion pattern. The file is packed with high entropy (7.53), signed by an unverified publisher with no historical samples, and flagged by our heuristic engine as a signed dropper pattern. Community researchers consistently tag the sample as malicious/spyware/trojan. No indicators of false positive (no test-file label, no AV-on-AV filename, no brand mismatch, no low-trust-only flagging).
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=14/17 tier-1 engines; tier1FamilyConsensus.strong=true (win64 family, 3 engines agreeing)
Named families across engines: Trojan.GameHack, Malgent, Agent_AGen, HackTool.BHP (BitDefender, Emsisoft, GData tier-1)
Offensive MITRE techniques T1562.001 (Impair Defenses) + T1620 (Reflective Code Loading) observed in sandbox
triggeredHeuristics: DirectIpC2 (medium) — contacted 2 external IPs, zero domains (C2 evasion pattern); DropperNetworkProfile (high) — packed + signed + flagged binary
signing.verified=true but signerStats.found=false (no signer history); SuspiciousSignerCN heuristic fired (generic 'CMD Softworks LLC' CN paired with 41 engine hits)
- File is digitally signed (reduces likelihood of unsigned malware)
- No dropped children detected in sandbox (some droppers are stealthier)
- Contacted IPs not yet in our known-malicious reputation cache
- Tier-1 antivirus consensus on Agent Tesla RAT family (14 engines)
- Direct-IP command-and-control communication without DNS (C2 evasion)
- Reflective code loading (T1620) and defensive evasion (T1562.001) observed
- Packed binary with very high entropy (7.534) indicating obfuscation
- Signed by unverified publisher with no signer history; suspicious generic company name
- Signed dropper pattern: packed + network activity + widespread engine detections
Quarantine and remove this file immediately. If executed, assume system compromise and initiate incident response: change credentials, scan for persistence, monitor for data exfiltration. Do not trust the digital signature; the certificate appears to be either stolen, fraudulent, or purchased from a reseller and used for malware distribution.
gamehack corroborated by 2 sources
- VT (74 engines)gamehack
- MT AI EngineAgent Tesla
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 3.168.51.54
- 162.159.36.2
- http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
- http://ocsps.ssl.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCCGQzUdPHOJ8I
- http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSOf8DjMnuwFThpZh9bv9IoPvmNMAQUVML%2BEJUAk81q9efA19myS7iPDOMCEFzJU28f9UIJglC2ZDyrwDk%3D
- http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSOf8DjMnuwFThpZh9bv9IoPvmNMAQUVML+EJUAk81q9efA19myS7iPDOMCEFzJU28f9UIJglC2ZDyrwDk=
- C:\Users\user\AppData\Roaming
- \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
- \Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence3.168.51.54 · 162.159.36.2Signed by "CMD Softworks LLC" — short generic company CN. Paired with 41 engine hit(s); possible stolen, fraudulent, or reseller-purchased code-signing certificate.
EvidenceCMD Softworks LLCPacked PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.
Evidencehttp://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
41 detections across 74 engines
Section entropy & packers
Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Bootstrapper.exe
- Size
- 8.27 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 82e8904fd500c596b04786124a0515f1ecb9b9fc8b2187e449c30eeba1ba2316
- MD5
- c9f1c55b26e7f781b65a96ea8190517d
- SHA-1
- dad71e6ac2ad9e3ce30152f993d0c765008c6b5a
- First seen (VT)
- 4/7/2026, 4:36:07 AM
- Last analysis (VT)
- 7/3/2026, 9:56:15 AM
- First scan (MalwareTips)
- 7/3/2026, 1:04:53 PM
- Last scan (MalwareTips)
- 7/3/2026, 1:04:53 PM
- Code signer
- CMD Softworks LLCverified
- Community reputation
- -78flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.