Suspicious
Unestablished signer, direct-IP contact, and low-tier detections create mixed signals; no tier-1 consensus or confirmed malicious behaviour.
ce779ef135b69a7ad6…15701711cdThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample exhibits a borderline profile: 4 detections with no tier-1 consensus, an unestablished signer, and atypical network behaviour (direct-IP contact). However, the absence of tier-1 agreement, lack of malicious sandbox verdict, and negative external intelligence (no YARA rules, no MalwareBazaar hit) prevent a confident malicious call. The direct-IP C2 heuristic is the strongest signal, but heuristic engines are prone to false positives on legitimate packed software. Community feedback is conflicting, with one researcher tagging malware families and another rating the file clean. The medium prevalence (135 submissions) suggests some distribution but not mainstream. Without additional corroborating evidence, this remains a mixed-signal case warranting caution but not a definitive malicious classification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 4/69 malicious (CrowdStrike, Cylance, DeepInstinct low-trust; Gridinsoft tier2 heuristic); tier1Malicious=0; no tier-1 family consensus
signing.verified=true but signerStats.found=false (no signer history); trustedPublisher.matched=false; triggeredHeuristics 'SuspiciousSignerCN' flags generic CN
behaviour.contactedIps=['162.159.36.2'] with zero domains; triggeredHeuristics 'DirectIpC2' (medium) — atypical for benign software but no malicious sandbox verdict
prevalence: medium (109 submitters, 135 submissions); no similar-hash RAG hits; external intel (CIRCL, YARAify, MalwareBazaar) all negative
community comments conflicting: one tags malware families (coinminer, icedid, njrat); another rates 'Clean' with valid certificate claim
- Thirteen tier-1 engines reported clean
- No tier-1 malware family consensus
- No malicious sandbox verdict
- No malicious contacted hosts in our cache
- Negative external intelligence (CIRCL, YARAify, MalwareBazaar)
- Unestablished signer with no prior sample history
- Direct-IP contact without DNS lookups (atypical network pattern)
- Generic heuristic detections from low-trust and tier-2 engines
- Suspicious signer CN flagged by heuristic rule
Exercise caution with this file. The mixed signals — unestablished signer, atypical network behaviour, and low-tier detections — warrant further investigation before execution. If you trust the source, consider running it in an isolated sandbox or consulting your security team.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- \Device\ConDrv\\Connect
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2Signed by "Manthe Industries LLC" — short generic company CN. Paired with 4 engine hit(s); possible stolen, fraudulent, or reseller-purchased code-signing certificate.
EvidenceManthe Industries LLC
4 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- vapev4.exe
- Size
- 11.49 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- ce779ef135b69a7ad6da5fb757cde6e7ac05ebcd0781a75f5b4a9115701711cd
- MD5
- 218c8f4643ada24a6baa75c1e44ec513
- SHA-1
- fb91252c66bbb85ae85f9bf85801d8fde29a58e0
- PE imphash
- f1efa2f6fc17b1190d38c8133d0b0187
- First seen (VT)
- 4/10/2026, 6:56:43 PM
- Last analysis (VT)
- 6/26/2026, 2:26:30 AM
- First scan (MalwareTips)
- 7/2/2026, 1:07:18 PM
- Last scan (MalwareTips)
- 7/2/2026, 1:07:18 PM
- Code signer
- Manthe Industries LLCverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.