MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Unsigned Java application with zero malicious engine detections, medium prevalence, and benign runtime behaviour consistent with legitimate Java lifecycle management.

Trust score88High trust
MT AI confidence · 92%
catlean_1.21.11.jar
10.6 MB
d15e0afafc2ecbbc38daeb003f4c
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 4mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The evidence converges strongly on a benign Java application. Zero malicious detections from 65 engines, with 16 tier-1 vendors reporting clean, establishes a robust consensus. The offensive MITRE techniques (T1543.002, T1562.001) are paired with 8 ambient techniques (scripting, system discovery, execution, logging suppression) that are routine in Java runtime management, not indicative of malware command-and-control or data exfiltration. The file's medium prevalence across 3,325 submitters over 118 days indicates established, distributed use. No external intelligence (CIRCL, YARAify, MalwareBazaar) flagged the sample. Dropped children (6 inspected, 0 malicious) and contacted hosts (none in malicious cache) show no secondary malicious activity. The unsigned status is unremarkable for Java applications. Community researcher annotation explicitly states 'Clean' with score 0/100, aligning with the engine consensus.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/65 malicious; tier1Malicious=0; tier1ReportedClean=16 (Avast, BitDefender, Kaspersky, Microsoft, ESET-NOD32, Fortinet, F-Secure, Emsisoft, Avira, DrWeb, GData, AVG all undetected)

  2. Behaviour: T1543.002 + T1562.001 (offensive) paired with 8 ambient techniques (T1064, T1082, T1106, T1202, T1518.001, T1564, T1564.001, T1564.003) — consistent with Java runtime lifecycle management, not malware C2 or exfiltration

  3. Dropped children: 6/6 unknown verdict, 0 malicious; contacted hosts: none in malicious cache; external intel: CIRCL/YARAify/MalwareBazaar all negative

  4. Prevalence: medium (3325 submitters, 5429 submissions, 118 days) — established distribution history

  5. Community annotation: 'Verdict: Clean Score: 0/100' — researcher consensus aligns with engine silence

Points in its favour
  • Zero malicious detections across 65 engines; 16 tier-1 vendors (Kaspersky, BitDefender, Microsoft, ESET-NOD32, Fortinet, F-Secure, Emsisoft, Avira, DrWeb, GData, AVG, Avast) all undetected
  • Medium prevalence: 3,325 unique submitters, 5,429 submissions over 118 days — established distribution history
  • Dropped children: 6 inspected, 0 malicious; contacted hosts: none in malicious cache
  • Community researcher annotation: 'Verdict: Clean Score: 0/100'
  • Runtime behaviour consistent with Java lifecycle management (process creation, logging suppression) — not C2 or exfiltration patterns
What to do

This file is safe to use. The zero-malicious consensus from 65 engines, including 16 tier-1 vendors, combined with medium prevalence and benign runtime behaviour, confirms a legitimate Java application. No further analysis or quarantine is necessary.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
10

Adversary techniques mapped to the MITRE ATT&CK framework.

T1064T1082T1106T1202T1518.001T1543.002T1562.001T1564T1564.001T1564.003
Spawned processes
11
$(unnamed)
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\<USER>\Desktop\runtime.jar"
$(unnamed)
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
$(unnamed)
C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"" >> C:\cmdlinestart.log 2>&1
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
"C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"
$(unnamed)
/bin/sh sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog
$(unnamed)
/usr/lib/rsyslog/rsyslog-rotate
$(unnamed)
/usr/bin/systemctl systemctl kill -s HUP rsyslog.service
+3 more processes captured.
Filesystem & mutexes
13
Files written11
  • C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\3612
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8786.timestamp
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\6488
+6 more
Files deleted2
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\6916
  • /tmp/hsperfdata_root/4981
Dropped payload

Files this sample writes at runtime

This file drops 6 children at runtime. None are currently flagged malicious in our cache.

6 unseen
  • 5e76fed3307ad1abcb78f40a42Never scanned
    never seen before
  • 5cbba3e6adaa6f7e78f678036eNever scanned
    never seen before
  • c1de3a9376fdaef0ba6a308b70Never scanned
    never seen before
  • d87c5f3cdfb5b7c0510e1ade9eNever scanned
    never seen before
  • 44a3bab2c338e3bca24cd3b9e7Never scanned
    never seen before
  • ac941ead01d5451a7a9f253227Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust19 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash d15e0afafc2e… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
3,325
Hundreds of people have uploaded this — common.
Total submissions
5,429
Includes repeat uploads by the same source.
First seen by VT
4mo ago
Mar 4, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
3/4/2026, 2:52:08 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/30/2026, 3:09:58 PM
Scanned here
6/30/2026, 3:46:49 PM
File name
catlean_1.21.11.jar
Size
10.61 MB
MIME type
(unknown)
Detected type
JAR
SHA-256
d15e0afafc2ecbbc3883d3a1369542c16dfc3ed395e13e9de233fadaeb003f4c
MD5
c15af2839acb31f2fac2ee177c01c545
SHA-1
a34ee078867ff2a94ada33477c0eeb94ac855de1
First seen (VT)
3/4/2026, 2:52:08 AM
Last analysis (VT)
6/30/2026, 3:09:58 PM
First scan (MalwareTips)
6/30/2026, 3:46:49 PM
Last scan (MalwareTips)
6/30/2026, 3:46:49 PM
Behavior tags
jardetect-debug-environmentsets-process-namechecks-cpu-name
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.