MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Malicious

Unsigned ZIP posing as Chrome setup flagged as Win64 trojan by 5 tier-1 engines with family consensus and YARA evasion rules.

Trust score18High risk
MT AI confidence · 88%
x64-Chrome_Setup-886301.zip
17.7 MB
87c8bdb0e3dbddd586276454ee01
Antivirus engines
15 of 75 flagged
Code signing
Unsigned
Age
First seen 1mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

88%Confidence
Very high
Reasoning

This new, unsigned ZIP file mimics a Chrome installer but triggers strong signals from tier-1 engines agreeing on 'win64' family. Kaspersky's EtwTamper detection points to event tracing evasion, common in trojans. Yaraify's 7 rule hits reinforce malware-like static features despite some generic nature. Lack of signing, zero reputation, and rare prevalence outweigh clean reports from other engines. No runtime data exists, but detection consensus drives the malicious call.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1FamilyConsensus: family='win64', agreeingEngines=3, strong=true

  2. Yaraify rules: 'pe_detect_tls_callbacks', 'DebuggerCheck__API', 'golang_bin_JCorn_CSC846'

  3. ESET-NOD32: 'Win64/Agent.DML.gen trojan' (tier1), Kaspersky: 'UDS:Trojan.Win32.EtwTamper.ajb' (tier1)

  4. unsigned, no signerStats.found, prevalence 'rare_new' (1 submitter)

Points in its favour
  • No malicious contacted hosts
  • No dropped children detected
  • 12 tier-1 engines clean (possible FP hedge)
Points against
  • 5 tier-1 malicious detections
  • Tier-1 consensus on 'win64' family
  • Yaraify 7 rule matches (evasion traits)
  • Unsigned with no publisher history
  • Rare new file (1 submission, 0 days old)
  • Fake Chrome installer filename
What to do

Quarantine and delete this file immediately. Run a full system scan and avoid executing untrusted installers.

Threat family attribution

misc corroborated by 2 sources

  • 7 YARA rules
    DebuggerCheck__API, golang_bin_JCorn_CSC846, mht_inside_word
  • VT (75 engines)
    misc
External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·7 community rules matchedView on YARAify
  • DebuggerCheck__API
  • golang_bin_JCorn_CSC846by Justin Cornwell
    CSC-846 Golang detection ruleset
  • mht_inside_wordby dPhish
    Detect embedded mht files inside microsfot word.
  • pe_detect_tls_callbacks
  • RIPEMD160_Constantsby phoul (@phoul)
    Look for RIPEMD-160 constants
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

5 YARAify
YARAify (community)
Researcher-authored rules via abuse.ch
  • DebuggerCheck__API
  • golang_bin_JCorn_CSC846
  • mht_inside_word
  • pe_detect_tls_callbacks
  • RIPEMD160_Constants
Antivirus engine breakdown

15 detections across 75 engines

15 malicious0 suspicious60 clean
Tier-117 engines
5flag
Top commercial AVs (low FP rate)
Tier-238 engines
6flag
Mainstream engines with mixed FP rates
Low-trust20 engines
4flag
Heuristic / generic-AI engines (high FP rate)
Antiy-AVL
malicious
Trojan/Win32.Kepavll
Avast
malicious
Win64:MalwareX-gen [Misc]
AVG
malicious
Win64:MalwareX-gen [Misc]
ClamAV
malicious
Win.Exploit.Rozena-10038302-0
Cynet
malicious
Malicious (score: 99)
DeepInstinct
malicious
MALICIOUS
Elastic
malicious
malicious (high confidence)
ESET-NOD32
malicious
Win64/Agent.DML.gen trojan
Google
malicious
Detected
Kaspersky
malicious
UDS:Trojan.Win32.EtwTamper.ajb
Rising
malicious
Backdoor.Agent!8.C5D (CLOUD)
Sangfor
malicious
Trojan.Win32.Agent.Vsij
Sophos
malicious
Mal/Generic-S
TrellixENS
malicious
Artemis!83AC84137CE9
Varist
malicious
W64/ABTrojan.HXFJ-4880
Hash 87c8bdb0e3db… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new
Unique uploaders
1
Very few people have ever uploaded this — rare.
Total submissions
1
Includes repeat uploads by the same source.
First seen by VT
1mo ago
Apr 30, 2026
Prevalence quadrant
here
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/30/2026, 3:09:52 AM
First seen (MalwareBazaar)
Last analysis (VT)
4/30/2026, 3:09:52 AM
Scanned here
4/30/2026, 3:10:49 AM
File name
x64-Chrome_Setup-886301.zip
Size
17.66 MB
MIME type
application/x-zip-compressed
Detected type
ZIP
SHA-256
87c8bdb0e3dbddd58680a5e97fd15600884a3d344cac212a96229e276454ee01
MD5
dc04e47a448abad08acbefa7fce1a6aa
SHA-1
dfa45e510fa41a5cd9058c67cc44b59ef96a6d5e
First seen (VT)
4/30/2026, 3:09:52 AM
Last analysis (VT)
4/30/2026, 3:09:52 AM
First scan (MalwareTips)
4/30/2026, 3:10:50 AM
Last scan (MalwareTips)
4/30/2026, 3:10:49 AM
Behavior tags
zipcontains-pe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.