Suspicious
Unsigned packed installer with process injection and direct-IP network contact; no tier-1 detections but heuristic and RAG signals suggest caution.
eeff565a36bb49788d…562073f6d1The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence presents a mixed picture. On one hand, the triggered heuristics (process injection, direct-IP C2, dropper profile) and high-entropy packing are classic malware signatures. The file is unsigned, rare, and new. On the other hand, tier-1 engines (BitDefender, Kaspersky, ESET-NOD32, Fortinet, F-Secure, Emsisoft, DrWeb, Avira, GData) are uniformly silent, which is atypical for known malware. The sandbox did not record a malicious verdict. The RAG consensus on this imphash is 'suspicious' (score 52), not 'malicious', and prior samples named 'PolarInstaller.exe' show 0–1 engine detections each. The combination of heuristic red flags and RAG consensus on 'borderline' warrants a 'suspicious' verdict, but the absence of tier-1 consensus and sandbox malicious verdict prevents escalation to 'malicious'.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0/63 malicious; tier1Malicious=0; tier1ReportedClean=14 (BitDefender, Kaspersky, ESET-NOD32, Fortinet, F-Secure, Emsisoft, DrWeb, Avira, GData all silent)
triggeredHeuristics: MalwareTips.Synth.ProcessInjection [high] + MalwareTips.Synth.DirectIpC2 [medium] + MalwareTips.Synth.DropperNetworkProfile [high] — T1055 injection, direct-IP 162.159.36.2 (no DNS), packed unsigned PE
peAnalysis: entropy=7.66, highEntropyCode=true, likelyPacked=true; .text section entropy=7.63 (suspicious)
similarHashes: 5/5 prior verdicts on imphash=f34d5f2d4577ed6d9ceec516c1f5a744 are 'suspicious' (score=52, reasonCode=ai:borderline_mixed_signals); 3 named 'PolarInstaller.exe'
prevalence: rare_new (1 submitter, 1 submission, 0 days); no yaraify/circl/malwareBazaar hits; signing.verified=false, unsigned
- All tier-1 antivirus engines silent (BitDefender, Kaspersky, ESET-NOD32, Fortinet, F-Secure, Emsisoft, DrWeb, Avira, GData)
- No malicious sandbox verdict recorded
- No malicious dropped children or contacted hosts in our cache
- No external intelligence hits (YARA, CIRCL, MalwareBazaar)
- RAG consensus on imphash is 'suspicious' (borderline), not 'malicious'
- Unsigned executable — no publisher identity or integrity verification
- High-entropy packing (entropy 7.66) — payload hidden until execution
- Process injection (T1055) — code smuggled into legitimate process to bypass AV hooks
- Direct-IP C2 contact (162.159.36.2) — no DNS, evades reputation-based blocklists
- Rare and new (1 submission, 0 days old) — no established reputation baseline
- Dropper/stager profile — classic malware staging pattern
Treat this file as suspicious and avoid execution on production systems. If you are the publisher, sign the executable, remove or justify process-injection code, and use DNS-based C2 instead of direct-IP contact. If you received it from an untrusted source, delete it and consider reporting the source.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\ProgramData\Microsoft\Windows\WER\Temp
- C:\ProgramData\Microsoft\Windows\WER\Temp\43a6acfa-68a3-45fa-8f6f-9a2f1c63dc99
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue
- C:\ProgramData\Microsoft\Windows\WER\Temp\79e6d380-36cd-4cef-9c6d-012622b9aca1
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive
- \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
- \Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\PolarInstaller_1.0.0.exe"Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2Unsigned, packed PE with sandbox-observed network activity. The packing step hides the payload until execution; the network call fetches / reports for the next stage. Classic dropper / stager behaviour.
Evidence162.159.36.2
0 detections across 74 engines
Section entropy & packers
Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- PolarInstaller.exe
- Size
- 9.58 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- eeff565a36bb49788d0513a7f577c1740bf1c85d902af0f30602cf562073f6d1
- MD5
- 10eef8c58a4d380cb4e7c027e4628b57
- SHA-1
- bdd204302508d4a8446650a425192ace7f04045b
- PE imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- First seen (VT)
- 6/18/2026, 5:26:24 PM
- Last analysis (VT)
- 6/18/2026, 5:26:24 PM
- First scan (MalwareTips)
- 6/19/2026, 4:45:35 AM
- Last scan (MalwareTips)
- 6/19/2026, 4:45:35 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.