Suspicious
Single tier-2 generic detection plus direct-IP contact without domains creates moderate suspicion for this unsigned rare executable.
b3b424ab934451178e…5be8095e2aThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Our analysis weighs the single tehtris Generic.Malware flag against the complete absence of tier-1 detections and the clean sandbox outcome. The direct-IP C2 heuristic is a legitimate red flag because benign software almost always resolves domains, yet it remains a single medium-severity rule without supporting malicious behaviour or dropped payloads. Unsigned status and rare_old prevalence add uncertainty but do not rise to malicious on their own. Similar-hash RAG returned no prior verdicts, leaving the mixed signals unresolved.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.topDetections[0]: tehtris tier2 Generic.Malware
triggeredHeuristics[0]: MalwareTips.Synth.DirectIpC2 fired true with evidence 23.216.81.152 · 52.154.209.174
behaviour.contactedIps: 2 external IPs and 0 domains
signing.signed: false; prevalence.classification: rare_old
- Zero tier-1 malicious detections
- Clean sandbox verdicts
- No malicious dropped children
- No external intelligence hits
- Direct external IP contact without domains
- Single AV detection (tehtris Generic.Malware)
- Unsigned executable
- Rare_old prevalence (3 submitters)
Exercise caution and avoid execution on production systems; re-evaluate with additional context or updated scans.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 192.168.0.17
- 23.216.81.152
- 52.154.209.174
- C:\Users\<USER>\Desktop\log.txt
- C:\Users\<USER>\Desktop\config.cfg
- ./log.txt
- ./config.cfg
- C:\Users\<USER>\Downloads\log.txt
Files this sample writes at runtime
This file drops 3 children at runtime. None are currently flagged malicious in our cache.
- e3b0c44298fc1c149afb…52b855Never scannednever seen before
- 802449f39a2b6f572004…8c195aNever scannednever seen before
- dfd4e8d7e69a3bbbd651…ca6bdbNever scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.216.81.152 · 52.154.209.174
1 detection across 79 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Rarely uploaded, but has been around for a while. Often niche legitimate software or old internal tooling; not a strong malware signal on its own.
Forensic fingerprint
- File name
- Tracking.exe
- Size
- 11.03 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- b3b424ab934451178eb5343cb4a9131a848f71badca5d8a1b5579d5be8095e2a
- MD5
- d468098873adb090ea6252b3aabd9456
- SHA-1
- 415fa88e99366972fe44d773b820a1e1eb61dcdb
- PE imphash
- 91802a615b3a5c4bcc05bc5f66a5b219
- First seen (VT)
- 8/6/2024, 5:55:09 AM
- Last analysis (VT)
- 8/6/2024, 5:56:02 AM
- First scan (MalwareTips)
- 6/6/2026, 10:04:52 PM
- Last scan (MalwareTips)
- 6/6/2026, 10:04:52 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.