File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unestablished signer, direct-IP contact, and low-tier detections create mixed signals; no tier-1 consensus or confirmed malicious behaviour.

Verified · Manthe Industries LLC
Trust score52Caution
MT AI confidence · 58%
vapev4.exe
11.5 MB
ce779ef135b69a7ad615701711cd
Antivirus engines
4 of 75 flagged
Code signing
Signed by Manthe Industries LLC
Age
First seen 3mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

58%Confidence
Moderate
Reasoning

The sample exhibits a borderline profile: 4 detections with no tier-1 consensus, an unestablished signer, and atypical network behaviour (direct-IP contact). However, the absence of tier-1 agreement, lack of malicious sandbox verdict, and negative external intelligence (no YARA rules, no MalwareBazaar hit) prevent a confident malicious call. The direct-IP C2 heuristic is the strongest signal, but heuristic engines are prone to false positives on legitimate packed software. Community feedback is conflicting, with one researcher tagging malware families and another rating the file clean. The medium prevalence (135 submissions) suggests some distribution but not mainstream. Without additional corroborating evidence, this remains a mixed-signal case warranting caution but not a definitive malicious classification.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 4/69 malicious (CrowdStrike, Cylance, DeepInstinct low-trust; Gridinsoft tier2 heuristic); tier1Malicious=0; no tier-1 family consensus

  2. signing.verified=true but signerStats.found=false (no signer history); trustedPublisher.matched=false; triggeredHeuristics 'SuspiciousSignerCN' flags generic CN

  3. behaviour.contactedIps=['162.159.36.2'] with zero domains; triggeredHeuristics 'DirectIpC2' (medium) — atypical for benign software but no malicious sandbox verdict

  4. prevalence: medium (109 submitters, 135 submissions); no similar-hash RAG hits; external intel (CIRCL, YARAify, MalwareBazaar) all negative

  5. community comments conflicting: one tags malware families (coinminer, icedid, njrat); another rates 'Clean' with valid certificate claim

Points in its favour
  • Thirteen tier-1 engines reported clean
  • No tier-1 malware family consensus
  • No malicious sandbox verdict
  • No malicious contacted hosts in our cache
  • Negative external intelligence (CIRCL, YARAify, MalwareBazaar)
Points against
  • Unestablished signer with no prior sample history
  • Direct-IP contact without DNS lookups (atypical network pattern)
  • Generic heuristic detections from low-trust and tier-2 engines
  • Suspicious signer CN flagged by heuristic rule
What to do

Exercise caution with this file. The mixed signals — unestablished signer, atypical network behaviour, and low-tier detections — warrant further investigation before execution. If you trust the source, consider running it in an isolated sandbox or consulting your security team.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
6

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1056T1057T1071T1082
Spawned processes
3
$(unnamed)
"C:\Users\<USER>\Desktop\722ed1e1.exe"
$(unnamed)
"C:\Users\user\Desktop\722ed1e1.exe"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network activity
1
IP addresses1
  • 162.159.36.2
Filesystem & mutexes
1
Files written1
  • \Device\ConDrv\\Connect
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    162.159.36.2
  • SuspiciousSignerCNlow

    Signed by "Manthe Industries LLC" — short generic company CN. Paired with 4 engine hit(s); possible stolen, fraudulent, or reseller-purchased code-signing certificate.

    Evidence
    Manthe Industries LLC
Antivirus engine breakdown

4 detections across 75 engines

4 malicious0 suspicious71 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
1flag
Mainstream engines with mixed FP rates
Low-trust20 engines
3flag
Heuristic / generic-AI engines (high FP rate)
CrowdStrike
malicious
win/malicious_confidence_60% (D)
Cylance
malicious
Unsafe
DeepInstinct
malicious
MALICIOUS
Gridinsoft
malicious
Trojan.Heur!.01010023
Hash ce779ef135b6… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 7.68Unpacked
Section entropy8 sections
.text
6.17
.rdata
5.76
.data
5.89
.pdata
6.17
.fptable
0.00
.rsrc
7.71
.reloc
5.45
.vlizer
6.20
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
109
Hundreds of people have uploaded this — common.
Total submissions
135
Includes repeat uploads by the same source.
First seen by VT
3mo ago
Apr 10, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/10/2026, 6:56:43 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/26/2026, 2:26:30 AM
Scanned here
7/2/2026, 1:07:18 PM
File name
vapev4.exe
Size
11.49 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
ce779ef135b69a7ad6da5fb757cde6e7ac05ebcd0781a75f5b4a9115701711cd
MD5
218c8f4643ada24a6baa75c1e44ec513
SHA-1
fb91252c66bbb85ae85f9bf85801d8fde29a58e0
PE imphash
f1efa2f6fc17b1190d38c8133d0b0187
First seen (VT)
4/10/2026, 6:56:43 PM
Last analysis (VT)
6/26/2026, 2:26:30 AM
First scan (MalwareTips)
7/2/2026, 1:07:18 PM
Last scan (MalwareTips)
7/2/2026, 1:07:18 PM
Code signer
Manthe Industries LLCverified
Behavior tags
peexeoverlaydetect-debug-environmentchecks-user-input64bits
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.