Suspicious
Installer exhibits offensive MITRE techniques (process injection, LSASS access, direct-IP C2) but lacks tier-1 family consensus; signer unverified.
8680fac1ecd0b0ce58…206f7a7e26The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence presents a mixed picture. On one hand, Sophos (tier-1) flagged the sample as 'Generic ML PUA', and the sandbox observed offensive behaviour: process injection (T1055), process hollowing (T1134), data destruction (T1485), LSASS access (credential-dumper pattern), and direct-IP C2 contact (162.159.36.2) with no DNS fallback. These are coherent malware indicators. On the other hand, the signer 'EbonholdLauncher' has no historical track record, the Sophos label is a machine-learning heuristic rather than a named family, and 16 other tier-1 engines are silent. The file is an NSIS installer with rapid distribution (common_new, 122 submitters), consistent with either legitimate software or an active campaign. The dropped children (10 inspected) have not yet been verdicted, so we cannot confirm whether they are malicious. The direct-IP C2 contact is suspicious but not yet confirmed as malicious in our URL cache.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Sophos (tier1) flagged 'Generic ML PUA (PUA)' — 1/71 engines malicious; tier1FamilyConsensus.strong=false (no family agreement among tier-1 engines)
behaviour.offensiveTechniques: T1055 (process injection), T1134 (process hollowing), T1485 (data destruction) — three offensive MITRE techniques observed in sandbox
triggeredHeuristics: MalwareTips.Synth.CredentialDumper (medium severity) — LSASS access observed; MalwareTips.Synth.DirectIpC2 (medium severity) — contacted 162.159.36.2 with zero DNS queries
yaraify.ruleCount=2 — community YARA rules matched (Detect_NSIS_Nullsoft_Installer, PE_Digital_Certificate); external researcher interest in the sample
signing.signerStats.found=false — signer 'EbonholdLauncher' has no historical track record; trustedPublisher.matched=false
- 16 tier-1 antivirus engines reported the sample clean
- No malicious dropped children confirmed (10 inspected, 0 verdicted malicious)
- No malicious contacted hosts in our URL cache
- High prevalence (122 submitters, 125 submissions) suggests legitimate software or active campaign, not targeted malware
- NSIS installer format is common for legitimate software distribution
- Process injection (T1055) observed in sandbox — payload smuggled into legitimate process to bypass AV hooks
- LSASS access (credential-dumper pattern) — legitimate software has no business reading Windows credential store
- Direct-IP C2 contact (162.159.36.2) without DNS queries — bypasses reputation-based domain blocklists
- Signer 'EbonholdLauncher' unverified with no historical track record
- Data destruction technique (T1485) observed — consistent with ransomware or wiper malware
- Community YARA rules matched (2 rules) — external researchers flagged the sample
Do not execute this file on production systems. Isolate and monitor any system that has run it. Await further analysis of the dropped children and IP reputation confirmation before making a final security decision. If you are the publisher, verify the signer certificate and consider re-signing with a trusted publisher identity.
NSIS Nullsoft Installer corroborated by 1 source
- 2 YARA rulesDetect_NSIS_Nullsoft_Installer, PE_Digital_Certificate
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\nssC66D.tmp
- C:\Users\<USER>\AppData\Local\Temp\nssC66E.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nssC66E.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nssC66E.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nssC66E.tmp\nsis_tauri_utils.dll
- C:\Users\<USER>\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache\KnownGameList.bin
- C:\Users\<USER>\AppData\Local\Microsoft\GameDVR\KnownGameList.update
- C:\Users\<USER>\AppData\Local\Temp\nsqD284.tmp
- C:\Users\<USER>\AppData\Local\Temp\nsvD2F3.tmp
- C:\Users\user\AppData\Local\Temp\nsn4DDF.tmp
- cversions.3.m
- Global\OneSettingQueryMutex+compat+encapsulation
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- e153bf80f73051aae8f0…f78258Never scannednever seen before
- 6a32397b51babc7673c3…bfe955Never scannednever seen before
- f942c40a34155aa4ead3…6bc2c5Never scannednever seen before
- aade2b63fc1e6cccdf2f…15cd88Never scannednever seen before
- b1350f487692057c8ffd…551fc0Never scannednever seen before
- 3860bb6d19ed159f91e0…7ec35aNever scannednever seen before
- 9baee42d66f715bba878…b40256Never scannednever seen before
- 807590c24c354a943b8b…1eca52Never scannednever seen before
- 8fc936ee48511dc4170d…1516e2Never scannednever seen before
- 8b4c47c4cf5e76ec57dd…90d37cNever scannednever seen before
1 corroborating signal from researcher-curated sources
- Detect_NSIS_Nullsoft_Installerby Obscurity Labs LLCDetects NSIS installers by .ndata section + NSIS header string
- PE_Digital_Certificateby albertzsigovits
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- Detect_NSIS_Nullsoft_Installer
- PE_Digital_Certificate
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
1 detection across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.
Forensic fingerprint
- File name
- ebonhold_1.0.5_x64-setup.exe
- Size
- 10.22 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 8680fac1ecd0b0ce58e99dcbe5c9764c8842bf69af75cfb9699399206f7a7e26
- MD5
- 26687c80e4da79b8b83d596ebbe19a20
- SHA-1
- 6a908e0f26bb15e54907eb161efa0c5b1c1d8533
- PE imphash
- 46ce5c12b293febbeb513b196aa7f843
- First seen (VT)
- 6/19/2026, 12:33:25 PM
- Last analysis (VT)
- 6/25/2026, 2:53:34 PM
- First scan (MalwareTips)
- 6/25/2026, 3:55:08 PM
- Last scan (MalwareTips)
- 6/25/2026, 3:55:08 PM
- Code signer
- EbonholdLauncherinvalid
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.