Malicious
Seven tier-1 engines converge on UltraSurf/UltraReach family; sandbox observed process injection, direct-IP C2, and packing — classic proxy-bypass malware.
ea16e08de0a81c229b…dddb7bf630The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence converges on a malicious classification. Seven tier-1 engines agree on the UltraSurf/UltraReach family, establishing strong consensus beyond low-trust heuristics. The sandbox behaviour exhibits three offensive MITRE techniques: process injection into Explorer.exe (T1055), archive creation (T1560), and indicator removal (T1562.001). The direct-IP C2 pattern — contacting 15 external IPs with zero DNS lookups — is a hallmark of malware designed to evade domain-based reputation systems. The binary is packed with UPX and exhibits high entropy (7.15), consistent with obfuscation. Although the signer 'Ultrareach Internet Corp.' has no historical samples in our database, the tier-1 consensus and offensive behaviour override any benefit of the doubt. The file's age (2990 days) and prevalence (180 submissions, common_old classification) confirm it is a well-known sample, not a false positive.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=7 engines (BitDefender, DrWeb, Emsisoft, ESET-NOD32, Fortinet, GData, Kaspersky) agreeing on UltraSurf/UltraReach family — tier1FamilyConsensus.strong=true
signing.verified=true but signerStats.found=false and trustedPublisher.matched=false — signer 'Ultrareach Internet Corp.' has zero historical samples in our database
behaviour: T1055 (process injection), T1560 (archive), T1562.001 (indicator removal); direct-IP C2 to 15 external IPs with zero DNS domains; triggeredHeuristics fired ProcessInjection, DirectIpC2, DropperNetworkProfile (all high/medium severity)
file reputation=-24, tags=['malware','upx','overlay','via-tor','detect-debug-environment'], prevalence=common_old (180 submissions since 2018) — well-known evasive malware
PE entropy=7.15 (high), likelyPacked=true, UPX packer detected — obfuscated binary consistent with malware dropper
- File is digitally signed (Authenticode verified)
- No malicious contacted hosts in our URL cache
- No malicious dropped children detected (10 children unanalysed)
- Process injection (T1055) into legitimate process (Explorer.exe) to evade AV hooks
- Direct-IP command-and-control communication (15 IPs, zero DNS) bypassing reputation systems
- UPX packing and high entropy (7.15) indicating obfuscation
- Signer 'Ultrareach Internet Corp.' has zero historical samples — unverified publisher
- Negative reputation score (-24) and 180 submissions since 2018 — well-known malware
- Archive creation (T1560) and indicator removal (T1562.001) techniques observed
Block and quarantine this file immediately. UltraSurf is a known proxy-bypass tool flagged by multiple tier-1 antivirus engines and exhibits malicious sandbox behaviour including process injection and direct-IP C2 communication. Do not allow execution under any circumstances.
ultrasurf corroborated by 2 sources
- VT (74 engines)ultrasurf
- MT AI Engineultrasurf
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 13.226.206.77
- 142.250.158.17
- 152.199.4.33
- 18.154.214.101
- 173.194.67.17
- 151.101.1.6
- 143.204.165.50
- 18.238.171.57
- 162.159.36.2
- 54.230.12.42
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- http://clients2.google.comclients2.google.com:443
- http://iyyykfjhtfm/
- http://xbgxcpqmtinygqs/
- http://kzmpvwk/
- http://ultrasurf.us/search.htm
- \Device\Netbios
- C:\Users\<USER>\Desktop\6fa9
- C:\Users\<USER>\Desktop\utmp\Mqxzwilwbs2c5i3w
- C:\Users\<USER>\Desktop\utmp\Cpaqilejch0v6h0y
- C:\Users\<USER>\Desktop\utmp\Qfbpvxgtjf9n1s2w
- C:\Users\<USER>\Desktop\6fa9
- C:\Users\<USER>\Desktop\utmp\Mafkcfyiwb5c9z3h
- C:\Users\<USER>\Desktop\utmp\Ulqfumbcus5q6k3o
- C:\Users\<USER>\Desktop\utmp\Mqxzwilwbs2c5i3w
- C:\Users\<USER>\Desktop\utmp\Cpaqilejch0v6h0y
- _!SHMSFTHISTORY!_
- Local\WininetProxyRegistryMutex
- Local\WininetStartupMutex
- Local\_!MSFTHISTORY!_
- Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- dd786323b5c5846c0636…db8baeNever scannednever seen before
- a31c695adee122834a78…2d84f9Never scannednever seen before
- 34c8bb4a776255595717…c30c7dNever scannednever seen before
- d35e6a0f1a989c9881d4…e9e8d9Never scannednever seen before
- dcdabff5c82d5c124c2b…4df7f8Never scannednever seen before
- de29fe002572df3d2ed2…c88f4aNever scannednever seen before
- c5d32d65121e15b10c7c…e9dbbfNever scannednever seen before
- 3450679de680a00e596e…8647f3Never scannednever seen before
- 8fa889a1fc508144c556…28ed9fNever scannednever seen before
- 673830217a9e563ced64…3804ddNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence13.226.206.77 · 142.250.158.17 · 152.199.4.33Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.
Evidencehttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
30 detections across 74 engines
Section entropy & packers
Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- u1802.exe
- Size
- 3.43 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- ea16e08de0a81c229bb997a68aa4e948a190731cb4180c17691eb9dddb7bf630
- MD5
- 008aae2a9a91cc55ad65da9661ad6ad3
- SHA-1
- e006f872efbc3dfb0a135a233c36d6ddf2a6cc6b
- PE imphash
- fc886b896f4eab5fd8b7116cded50612
- First seen (VT)
- 4/23/2018, 7:44:45 PM
- Last analysis (VT)
- 6/30/2026, 12:55:35 PM
- First scan (MalwareTips)
- 7/1/2026, 2:10:37 AM
- Last scan (MalwareTips)
- 7/1/2026, 2:10:37 AM
- Code signer
- Ultrareach Internet Corp.verified
- Community reputation
- -24flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.