Suspicious
Signed installer with zero AV detections but sandbox-observed AV tampering, process injection, and direct-IP C2 contact raise suspicion despite engine silence.
ac7125f354539779d4…7ec9d45116The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence presents a genuine conflict. On one hand, the sandbox observed textbook malware loader behaviours: Windows Defender exclusion via hidden PowerShell with ExecutionPolicy Bypass, process injection (T1055), and direct-IP C2 contact to 54.87.55.165 without DNS queries. These are not typical of benign installers. On the other hand, 17 high-trust engines (Kaspersky, Microsoft, BitDefender, ESET, Avast, Fortinet, Ikarus, F-Secure, Emsisoft, DrWeb, GData, Avira, AVG) all returned clean verdicts, which is unusual for genuine malware 6 days post-submission. The signer is verified but has no historical samples, preventing reputation-based safe classification. The RAG shows 2/3 prior imphash matches were malicious (OfferCore family), but the third was a benign AV-on-AV false positive. Given the offensive MITRE techniques, heuristic severity, and malicious RAG precedent, but balanced against universal engine silence and legitimate-looking metadata, this warrants 'suspicious' rather than 'malicious' or 'safe'.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
0/17 tier-1 engines flagged; 0/69 total engines malicious — but DefenderTamper + ProcessInjection + DirectIpC2 heuristics fired (high/medium severity)
Signed by 'viginet private limited' (verified) but signerStats.found=false — no prior sample history for this signer
behaviour.offensiveTechniques=[T1055, T1059.001, T1485, T1548, T1562.001] — process injection, hidden PowerShell with ExecutionPolicy Bypass, AV exclusion path, direct-IP C2 to 54.87.55.165
similarHashes: 2/3 prior imphash matches verdicted 'malicious' (OfferCore family); 1/3 'safe' (AV-on-AV FP) — mixed precedent but malicious trend
prevalence.classification=rare_new (2 submitters, 6 days); no external-intel hits (CIRCL, YARAify, MalwareBazaar)
- All 69 antivirus engines (including 17 tier-1) returned clean verdicts
- File is legitimately signed (verified Authenticode)
- Filename and installer hint suggest a genuine application installer
- No external-intel hits (CIRCL, YARAify, MalwareBazaar)
- No malicious dropped children confirmed (10 inspected, all unanalysed)
- Windows Defender exclusion via hidden PowerShell with ExecutionPolicy Bypass
- Process injection (T1055) into Explorer.exe
- Direct-IP C2 contact (54.87.55.165) with zero DNS queries
- Signer 'viginet private limited' has no prior sample history
- 2/3 similar imphash samples verdicted malicious (OfferCore family)
- Rare_new prevalence (6 days old, 2 submitters)
Treat this file as suspicious and avoid execution on production systems. The sandbox-observed AV tampering, process injection, and direct-IP C2 contact are consistent with malware loader behaviour, but universal engine silence and legitimate-looking metadata create ambiguity. If you are the publisher, verify the file's authenticity and submit it to major antivirus vendors for analysis. If you downloaded it from an untrusted source, delete it immediately.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 54.87.55.165
- C:\Users\<USER>\AppData\Local\Temp\is-6PK90FLVF4.tmp\1780840486520-784110545-VigiHunt_Setup.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-2K00F48N4Z.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-2K00F48N4Z.tmp\_isetup\_isdecmp.dll
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
- C:\Program Files\VigiHunt\is-44AU6O8USX.tmp
- C:\Program Files\VigiHunt\is-HAMWN9ZWQD.tmp
- C:\Program Files\VigiHunt\is-MCI8DOZGH7.tmp
- C:\Program Files\VigiHunt\is-70WHGD4Q8N.tmp
- C:\Program Files\VigiHunt\is-7L2MIRDYZE.tmp
- cversions.3.m
- Global\PythonTraceOutputMutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 7461a15657c7516237b0…63a825Never scannednever seen before
- cd2f60075064dfc2e65c…356b08Never scannednever seen before
- da3f122d19f811a0ee68…fde700Never scannednever seen before
- d73fd5078c34b3f4eb35…b90d22Never scannednever seen before
- 96ad1146eb96877eab59…87dcf7Never scannednever seen before
- c8ec6429d243aef1f789…676005Never scannednever seen before
- c1fb92c780b69e2cb1f1…3b9529Never scannednever seen before
- 81940e12ae3bc4e1caf9…358514Never scannednever seen before
- 9cfb1d4bfba7708b2885…cfa05eNever scannednever seen before
- 2758b9e3112a264f6da0…513d77Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample spawned PowerShell with a hidden window AND execution-policy bypass / inline command. Not definitive — legit Intune/SCCM scripts do this too — but combined with other signals it reinforces the loader profile.
Evidence"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\VigiHunt'"Sample disabled Windows Defender real-time protection or added an AV exclusion path. This is the blow-the-doors-off move malware makes right before dropping a second-stage payload.
Evidence"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\VigiHunt'"MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence54.87.55.165
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- VigiHunt_Setup.exe
- Size
- 108.47 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- ac7125f354539779d447e845241bce0b816e612901260a244732ab7ec9d45116
- MD5
- ad68b25a470161cf416f7cc1b5afdf98
- SHA-1
- 32606da6994fe5dfc258a4f8e80fdc498c0a8484
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 6/7/2026, 10:00:52 AM
- Last analysis (VT)
- 6/13/2026, 5:15:04 AM
- First scan (MalwareTips)
- 6/13/2026, 11:00:41 AM
- Last scan (MalwareTips)
- 6/13/2026, 11:00:41 AM
- Code signer
- viginet private limitedverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.