Suspicious
Unsigned JAR with direct-IP contact and two offensive MITRE techniques but zero engine detections.
d46aa0675383d7b905…a7c1e9e7b1The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections from 65 reporting engines including 16 tier-1 engines rules out strong malware consensus. However, the sandbox recorded direct-IP contact to 162.159.36.2 without any DNS resolution and logged T1543.002 plus T1562.001, both flagged by the DirectIpC2 heuristic. The JAR is unsigned with no signer history, six dropped children returned unknown, and external intelligence sources returned no matches. Medium prevalence (124 submitters) prevents a rare_new classification that would heighten suspicion. The combination of behavioural red flags without corroborating engine or external signals produces a borderline mixed-signals assessment.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 and engines.tier1Malicious=0 across 65 reporting engines
behaviour.contactedIps=["162.159.36.2"] with zero domains triggered MalwareTips.Synth.DirectIpC2 heuristic
signing.signed=false and signing.signerStats.found=false
droppedChildren.hasMaliciousChild=false and droppedChildren.rollup.malicious=0
externalIntel.yaraify.ruleCount=0 and externalIntel.circl.hit=false
- Zero malicious detections from 65 reporting engines
- No malicious dropped children
- Medium prevalence across 124 submitters
- Direct-IP contact without DNS resolution
- Two offensive MITRE techniques observed in sandbox
- Unsigned JAR with no signer history
Isolate and monitor the sample; re-scan periodically and avoid execution until additional corroborating data emerges.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\5364
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
- C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8786.timestamp
- C:\Users\user\AppData\Local\Temp\hsperfdata_user
- C:\Users\user\AppData\Local\Temp\hsperfdata_user\6844
- C:\Users\user\AppData\Local\Temp\hsperfdata_user\5544
- /tmp/hsperfdata_root/4976
Files this sample writes at runtime
This file drops 6 children at runtime. None are currently flagged malicious in our cache.
- 2194942fe20fc4079e01…e4b13dNever scannednever seen before
- 07284ffa84eb56e344e9…651b00Never scannednever seen before
- 3f8096f14540c8e18e4e…ad10b8Never scannednever seen before
- d87c5f3cdfb5b7c0510e…1ade9eNever scannednever seen before
- 44a3bab2c338e3bca24c…d3b9e7Never scannednever seen before
- ac941ead01d5451a7a9f…253227Never scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 74 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Unconfirmed 959177.crdownload
- Size
- 38.98 MB
- MIME type
- (unknown)
- Detected type
- JAR
- SHA-256
- d46aa0675383d7b905d7e7735bc5b5ffa785f57dc34d054a19d75fa7c1e9e7b1
- MD5
- d4f90285f10f59372a4563b9418f53b1
- SHA-1
- e16a9d71c74b67a0d800fcc3e688b7c77e806f04
- First seen (VT)
- 3/31/2026, 10:38:11 PM
- Last analysis (VT)
- 6/26/2026, 2:37:09 PM
- First scan (MalwareTips)
- 7/4/2026, 8:33:10 AM
- Last scan (MalwareTips)
- 7/4/2026, 8:33:10 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.