File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned 3.5 KB Win32 DLL with one tier-1 detection and one prior safe imphash match.

Trust score48Caution
MT AI confidence · 55%
8pfrpl.exe
3.5 KB
de532365f06ed36585e02a0ac881
Antivirus engines
4 of 74 flagged
Code signing
Unsigned
Age
First seen 7y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

55%Confidence
Moderate
Reasoning

The detection profile sits between low-trust FP and genuine threat: one tier-1 engine reports a named family while 65 engines remain silent. Absence of signing, sandbox data, and external intelligence leaves the sample in mixed-signals territory. The single similar-hash precedent leans safe but is insufficient to override the tier-1 label. Medium prevalence and long age argue against a brand-new malicious dropper yet do not confirm legitimacy.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.tier1Malicious=1 (TrendMicro-HouseCall) with tier1FamilyConsensus.family=win64 (strong=false)

  2. signing.signed=false and signerStats.found=false

  3. similarHashes[0].verdict=safe (matchKind=imphash, reasonCode=ai:low_trust_engines_only)

  4. prevalence.classification=medium (13 uniqueSources, 15 timesSubmitted)

Points in its favour
  • Only 4/70 engines flagged
  • Prior imphash match received safe verdict
  • No sandbox or network indicators
Points against
  • Unsigned binary
  • Tier-1 engine detection naming specific Trojan family
  • Small file size with DLL extension
What to do

Quarantine the sample and perform dynamic analysis before any execution; avoid running unsigned DLLs from unknown origins.

Threat family attribution

tl0101dg26zh corroborated by 1 source

  • VT (74 engines)
    tl0101dg26zh
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

4 detections across 74 engines

4 malicious0 suspicious70 clean
Tier-117 engines
1flag
Top commercial AVs (low FP rate)
Tier-238 engines
1flag
Mainstream engines with mixed FP rates
Low-trust19 engines
2flag
Heuristic / generic-AI engines (high FP rate)
Cynet
malicious
Malicious (score: 100)
Malwarebytes
malicious
Malware.Heuristic.2126
McAfeeD
malicious
ti!DE532365F06E
TrendMicro-HouseCall
malicious
Trojan.Win64.Gen.TL0101DG26ZH
Hash de532365f06e… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy2 sections
.text
5.87
.data
5.63
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
13
Moderate upload volume.
Total submissions
15
Includes repeat uploads by the same source.
First seen by VT
7y ago
Mar 8, 2019
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
3/8/2019, 1:42:29 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/30/2026, 11:07:22 PM
Scanned here
7/3/2026, 9:53:40 AM
File name
8pfrpl.exe
Size
3.5 KB
MIME type
(unknown)
Detected type
Win32 DLL
SHA-256
de532365f06ed36585d37fda4e13c331f5cdc375d381950b8d473de02a0ac881
MD5
1090cf0c2e5bfa1211f771ae6bbc88cd
SHA-1
0218fb145270391a64279e6fc6f4e8b6be7c0600
PE imphash
6e19abb36f191604c3793aee28e89b75
First seen (VT)
3/8/2019, 1:42:29 AM
Last analysis (VT)
6/30/2026, 11:07:22 PM
First scan (MalwareTips)
7/3/2026, 9:53:40 AM
Last scan (MalwareTips)
7/3/2026, 9:53:40 AM
Behavior tags
64bitspedll
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.