File verdict·Decided by the MT AI Engine
Our call

Malicious

Seven tier-1 engines converge on UltraSurf/UltraReach family; sandbox observed process injection, direct-IP C2, and packing — classic proxy-bypass malware.

ultrasurfVerified · Ultrareach Internet Corp.
Trust score12Critical
MT AI confidence · 92%
u1802.exe
3.4 MB
ea16e08de0a81c229bdddb7bf630
Antivirus engines
30 of 74 flagged
Code signing
Signed by Ultrareach Internet Corp.
Age
First seen 8y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The evidence converges on a malicious classification. Seven tier-1 engines agree on the UltraSurf/UltraReach family, establishing strong consensus beyond low-trust heuristics. The sandbox behaviour exhibits three offensive MITRE techniques: process injection into Explorer.exe (T1055), archive creation (T1560), and indicator removal (T1562.001). The direct-IP C2 pattern — contacting 15 external IPs with zero DNS lookups — is a hallmark of malware designed to evade domain-based reputation systems. The binary is packed with UPX and exhibits high entropy (7.15), consistent with obfuscation. Although the signer 'Ultrareach Internet Corp.' has no historical samples in our database, the tier-1 consensus and offensive behaviour override any benefit of the doubt. The file's age (2990 days) and prevalence (180 submissions, common_old classification) confirm it is a well-known sample, not a false positive.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=7 engines (BitDefender, DrWeb, Emsisoft, ESET-NOD32, Fortinet, GData, Kaspersky) agreeing on UltraSurf/UltraReach family — tier1FamilyConsensus.strong=true

  2. signing.verified=true but signerStats.found=false and trustedPublisher.matched=false — signer 'Ultrareach Internet Corp.' has zero historical samples in our database

  3. behaviour: T1055 (process injection), T1560 (archive), T1562.001 (indicator removal); direct-IP C2 to 15 external IPs with zero DNS domains; triggeredHeuristics fired ProcessInjection, DirectIpC2, DropperNetworkProfile (all high/medium severity)

  4. file reputation=-24, tags=['malware','upx','overlay','via-tor','detect-debug-environment'], prevalence=common_old (180 submissions since 2018) — well-known evasive malware

  5. PE entropy=7.15 (high), likelyPacked=true, UPX packer detected — obfuscated binary consistent with malware dropper

Points in its favour
  • File is digitally signed (Authenticode verified)
  • No malicious contacted hosts in our URL cache
  • No malicious dropped children detected (10 children unanalysed)
Points against
  • Process injection (T1055) into legitimate process (Explorer.exe) to evade AV hooks
  • Direct-IP command-and-control communication (15 IPs, zero DNS) bypassing reputation systems
  • UPX packing and high entropy (7.15) indicating obfuscation
  • Signer 'Ultrareach Internet Corp.' has zero historical samples — unverified publisher
  • Negative reputation score (-24) and 180 submissions since 2018 — well-known malware
  • Archive creation (T1560) and indicator removal (T1562.001) techniques observed
What to do

Block and quarantine this file immediately. UltraSurf is a known proxy-bypass tool flagged by multiple tier-1 antivirus engines and exhibits malicious sandbox behaviour including process injection and direct-IP C2 communication. Do not allow execution under any circumstances.

Threat family attribution

ultrasurf corroborated by 2 sources

  • VT (74 engines)
    ultrasurf
  • MT AI Engine
    ultrasurf
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
23

Adversary techniques mapped to the MITRE ATT&CK framework.

T1018T1027T1027.002T1036T1055T1056T1057T1059T1071T1082T1095T1112T1129T1185T1497T1499T1518.001T1539T1560T1562T1562.001T1573T1574.002
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\executable.exe"
$(unnamed)
C:\Users\<USER>\Desktop\utmp\u.exe -L="127.0.0.1:9666" -CID="3646d911", -ProgPath="C:\Users\<USER>\Desktop\\" -TmpPath="C:\Users\<USER>\Desktop\utmp\\" -ConnMode=0 -version="1802100"
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
<SYSTEM32>\rundll32.exe
$(unnamed)
<SYSTEM32>\cmd.exe
$(unnamed)
<PATH_SAMPLE.EXE>
$(unnamed)
<CURRENT_DIR>\utmp\u.exe
$(unnamed)
%ProgramFiles%\google\chrome\application\chrome.exe
+7 more processes captured.
Network activity
40
IP addresses20
  • 13.226.206.77
  • 142.250.158.17
  • 152.199.4.33
  • 18.154.214.101
  • 173.194.67.17
  • 151.101.1.6
  • 143.204.165.50
  • 18.238.171.57
  • 162.159.36.2
  • 54.230.12.42
+10 more
URLs20
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  • http://clients2.google.comclients2.google.com:443
  • http://iyyykfjhtfm/
  • http://xbgxcpqmtinygqs/
  • http://kzmpvwk/
  • http://ultrasurf.us/search.htm
+14 more
Filesystem & mutexes
40
Files written15
  • \Device\Netbios
  • C:\Users\<USER>\Desktop\6fa9
  • C:\Users\<USER>\Desktop\utmp\Mqxzwilwbs2c5i3w
  • C:\Users\<USER>\Desktop\utmp\Cpaqilejch0v6h0y
  • C:\Users\<USER>\Desktop\utmp\Qfbpvxgtjf9n1s2w
+10 more
Files deleted15
  • C:\Users\<USER>\Desktop\6fa9
  • C:\Users\<USER>\Desktop\utmp\Mafkcfyiwb5c9z3h
  • C:\Users\<USER>\Desktop\utmp\Ulqfumbcus5q6k3o
  • C:\Users\<USER>\Desktop\utmp\Mqxzwilwbs2c5i3w
  • C:\Users\<USER>\Desktop\utmp\Cpaqilejch0v6h0y
+10 more
Mutexes created10
  • _!SHMSFTHISTORY!_
  • Local\WininetProxyRegistryMutex
  • Local\WininetStartupMutex
  • Local\_!MSFTHISTORY!_
  • Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • dd786323b5c5846c0636db8baeNever scanned
    never seen before
  • a31c695adee122834a782d84f9Never scanned
    never seen before
  • 34c8bb4a776255595717c30c7dNever scanned
    never seen before
  • d35e6a0f1a989c9881d4e9e8d9Never scanned
    never seen before
  • dcdabff5c82d5c124c2b4df7f8Never scanned
    never seen before
  • de29fe002572df3d2ed2c88f4aNever scanned
    never seen before
  • c5d32d65121e15b10c7ce9dbbfNever scanned
    never seen before
  • 3450679de680a00e596e8647f3Never scanned
    never seen before
  • 8fa889a1fc508144c55628ed9fNever scanned
    never seen before
  • 673830217a9e563ced643804ddNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Execution× 1Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\Explorer.EXE
  • DirectIpC2medium

    Sample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    13.226.206.77 · 142.250.158.17 · 152.199.4.33
  • DropperNetworkProfilehigh

    Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.

    Evidence
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
Antivirus engine breakdown

30 detections across 74 engines

30 malicious0 suspicious44 clean
Tier-117 engines
7flag
Top commercial AVs (low FP rate)
Tier-238 engines
15flag
Mainstream engines with mixed FP rates
Low-trust19 engines
8flag
Heuristic / generic-AI engines (high FP rate)
alibabacloud
malicious
Trojan:Win/UltraReach.AU
ALYac
malicious
Misc.HackTool.UltraSurf
Arcabit
malicious
Application.UltraSurf.E
BitDefender
malicious
Application.UltraSurf.E
ClamAV
malicious
Win.Virus.Pioneer-9255921-0
CrowdStrike
malicious
win/grayware_confidence_100% (W)
CTX
malicious
exe.trojan.ultrasurf
Cylance
malicious
Unsafe
DrWeb
malicious
Tool.UltraSurf.17
Elastic
malicious
malicious (moderate confidence)
Emsisoft
malicious
Application.UltraSurf.E (B)
ESET-NOD32
malicious
Win32/UltraReach.AG potentially unsafe application
Fortinet
malicious
Riskware/UltraReach
GData
malicious
Application.UltraSurf.E
Gridinsoft
malicious
PUP.Win32.Gen.vl!c
Jiangmin
malicious
RiskTool.UltraSurf.l
Kaspersky
malicious
Trojan.Win32.Injuke.owlp
Kingsoft
malicious
Win32.Troj.Generic.lc
Lionic
malicious
Trojan.Win32.UltraSurf.4!c
Malwarebytes
malicious
Malware.AI.2017780830
MaxSecure
malicious
Trojan.Malware.73377187.susgen
MicroWorld-eScan
malicious
Application.UltraSurf.E
NANO-Antivirus
malicious
Trojan.Win32.UltraReach.favuzy
Rising
malicious
Trojan.Injuke!8.10932 (CLOUD)
SentinelOne
malicious
Static AI - Suspicious PE
tehtris
malicious
Generic.Malware
VBA32
malicious
BScope.Trojan.Downloader
VIPRE
malicious
Application.UltraSurf.E
Xcitium
malicious
ApplicUnwnt@#31cs4zmi19row
Yandex
malicious
Trojan.GenAsa!OJybGo5FLF8
Hash ea16e08de0a8… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

ent 7.15Likely packed
Section entropy3 sections
UPX0
0.00
UPX1
7.82packed
.rsrc
3.68
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
109
Hundreds of people have uploaded this — common.
Total submissions
180
Includes repeat uploads by the same source.
First seen by VT
8y ago
Apr 23, 2018
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
4/23/2018, 7:44:45 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/30/2026, 12:55:35 PM
Scanned here
7/1/2026, 2:10:37 AM
File name
u1802.exe
Size
3.43 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
ea16e08de0a81c229bb997a68aa4e948a190731cb4180c17691eb9dddb7bf630
MD5
008aae2a9a91cc55ad65da9661ad6ad3
SHA-1
e006f872efbc3dfb0a135a233c36d6ddf2a6cc6b
PE imphash
fc886b896f4eab5fd8b7116cded50612
First seen (VT)
4/23/2018, 7:44:45 PM
Last analysis (VT)
6/30/2026, 12:55:35 PM
First scan (MalwareTips)
7/1/2026, 2:10:37 AM
Last scan (MalwareTips)
7/1/2026, 2:10:37 AM
Code signer
Ultrareach Internet Corp.verified
Community reputation
-24flagged
Behavior tags
long-sleepschecks-user-inputdetect-debug-environmentpeexevia-torsignedoverlayupxmalwarecorrupt
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.