Suspicious
Kaspersky and Symantec flagged Convagent trojan; offensive process-injection and defense-evasion techniques detected; unsigned rare-new sample.
a5abb6372a5edce786…cd63f7adb1The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Kaspersky's explicit detection of 'VHO:Trojan.Win32.Convagent.gen' is a named-family signal from a high-trust tier-1 engine, supported by Symantec's high-confidence flag. The file exhibits offensive MITRE techniques (T1134.004 process injection, T1562.001 defense impairment) typical of remote-access trojans. The filename 'hvnc-client.exe' semantically matches HVNC (Hidden VNC) malware patterns. However, tier-1 consensus is weak (1 engine, not ≥3), and 65 of 70 engines remain silent. No sandbox execution, C2 contact, or dropped-child evidence is present. The sample is unsigned, rare, and newly submitted, limiting corroboration. The combination of tier-1 family naming, offensive techniques, and filename semantics outweighs the weak consensus and absence of runtime confirmation, but confidence remains moderate due to these gaps.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Kaspersky (tier-1) flagged 'VHO:Trojan.Win32.Convagent.gen' — named family detection from high-trust engine
Symantec (tier-1) flagged 'ML.Attribute.HighConfidence' — tier-1 confidence signal, though generic label
Offensive MITRE techniques T1134.004 (Process Injection) + T1562.001 (Impair Defenses) — consistent with remote-access trojan behaviour
Filename 'hvnc-client.exe' + 'trojan.convagent' threat label — semantically aligned with HVNC malware family
Unsigned, rare_new (1 submission, 0 days), no signer history, no external intel corroboration — limits confidence but does not contradict malicious signals
- No sandbox malicious verdict (no runtime execution observed)
- No malicious contacted hosts or C2 beaconing detected
- No dropped children or persistence indicators
- 65 of 70 engines undetected or silent
- Tier-1 engine (Kaspersky) named Convagent trojan family
- Process injection (T1134.004) and defense-evasion (T1562.001) techniques detected
- Filename 'hvnc-client.exe' matches HVNC malware semantics
- Unsigned executable with no signer history
- Rare, newly submitted sample (0 days old, 1 submission)
Treat this file as malicious and avoid execution. If encountered in your environment, isolate the affected system and conduct forensic analysis for signs of remote-access activity or defense evasion. Monitor for similar samples with matching imphash or signer patterns.
convagent corroborated by 2 sources
- VT (75 engines)convagent
- MT AI Engineconvagent
1 contradiction resolved by the scoring engine
5 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- hvnc-client.exe
- Size
- 209.0 KB
- MIME type
- application/x-msdownload
- Detected type
- Win32 EXE
- SHA-256
- a5abb6372a5edce78634d91c1e02aa1ac1823fccac7bfab9ad8663cd63f7adb1
- MD5
- f250429bf730ba95bf32ff6ebd862304
- SHA-1
- 6d36cbd9565fd9396b74d14f81f29d2d20a77972
- PE imphash
- 77d785ac2f5d2c71fd2188ccec27c59a
- First seen (VT)
- 6/12/2026, 3:57:13 PM
- Last analysis (VT)
- 6/12/2026, 3:57:13 PM
- First scan (MalwareTips)
- 6/12/2026, 3:58:26 PM
- Last scan (MalwareTips)
- 6/12/2026, 3:59:13 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.