Suspicious
Unsigned 2017-era executable shows process-injection and direct-IP behaviour yet zero engine detections and clean sandbox outcome.
eba6a38d59a6746489…70b3697713The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections from 71 engines and an empty tier-1 consensus strongly argue against malice. The file is unsigned and old, yet its sandbox trace includes process injection and 20 direct-IP contacts with no domains. These behavioural flags are mitigated by the lack of sandbox malicious verdict and absence of dropped malicious children or known-bad hosts. The combination of clean engine results and suspicious runtime artefacts places the sample in mixed-signals territory.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 and engines.tier1Malicious=0 across 71 reporting engines
behaviour.hasMaliciousSandboxVerdict=false and droppedChildren.hasMaliciousChild=false
prevalence.classification=common_old with 1336 uniqueSources since 2017-06-28
triggeredHeuristics[MalwareTips.Synth.ProcessInjection] and [MalwareTips.Synth.DirectIpC2] fired but sandbox produced no malicious verdict
- Zero detections from 71 engines including 17 tier-1 engines
- No malicious sandbox verdict or malicious dropped children
- Common-old prevalence with 1336 unique submitters since 2017
- T1055 process injection observed in sandbox trace
- Direct-IP network contact without DNS resolution
- Unsigned executable with no signer history
Treat as untrusted until additional context (signed vendor binary or verified source) is obtained; run only in a controlled environment.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 64.233.181.94
- 20.99.132.105
- 13.107.39.203
- a83f:8110:0:0:702:0:0:0
- 23.216.147.76
- a83f:8110:cce1:d301:10:0:0:0
- 23.216.147.64
- 20.99.184.37
- 20.99.133.109
- a83f:8110:7600:6900:6c00:6500:6700:6500
- \Device\ConDrv
- \Device\ConDrv\\Connect
- /root/.cache/dconf/user
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERF51E.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D9.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERF609.tmp.txt
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAD.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF.tmp.csv
Files this sample writes at runtime
This file drops 1 child at runtime. None are currently flagged malicious in our cache.
- 81be33fc020ca08436d3…651208Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\program.exe"Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence64.233.181.94 · 20.99.132.105 · 13.107.39.203
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- Universe Sandbox VR.exe
- Size
- 561.5 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- eba6a38d59a6746489390db8b63cd6fcad6f9a8c7bf5d67e66778970b3697713
- MD5
- 6ff3841030d7dd9bf38382c8e676d80b
- SHA-1
- bc8841fd46c936a0e8089e3053f8e116804e3219
- PE imphash
- 784037057c16b079d55c859c5588487d
- First seen (VT)
- 6/27/2017, 8:02:37 PM
- Last analysis (VT)
- 6/29/2026, 3:08:14 PM
- First scan (MalwareTips)
- 7/4/2026, 5:01:22 PM
- Last scan (MalwareTips)
- 7/4/2026, 5:01:22 PM
- Community reputation
- +2trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.