Suspicious
Unsigned ZIP installer shows direct-IP network activity and offensive MITRE techniques despite zero AV detections.
fe64c7ab3ef7daf4fb…dd4a72b4d2The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The complete absence of engine detections across 67 reporters including 16 tier-1 clean verdicts is a strong benign indicator. However, the sandbox recorded direct-IP communication without DNS resolution, five offensive MITRE techniques, and persistence-related activity that is atypical for a paint utility. The file is unsigned and the filename triggered an injection flag in community comments. Prevalence is high and old, yet the behavioural anomalies prevent a clean classification.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious detections across 67 reporting engines (16 tier-1 clean)
prevalence.classification=common_old (1993 sources, 2265 submissions)
triggeredHeuristics[0].rule=MalwareTips.Synth.DirectIpC2 with 18 direct IPs and 0 domains
adversarialInputFlags.anyInjectionSuspected=true (commentInjectionSuspected)
behaviour.offensiveTechniques=[T1485,T1543.003,T1547.001,T1548,T1562.001]
- Zero detections across 67 reporting engines
- 16 tier-1 engines marked clean
- Common_old prevalence (1993 sources)
- Direct-IP C2 without DNS resolution
- Five offensive MITRE techniques observed
- Unsigned executable inside ZIP
- Community tags reference bootkit and stealer behaviour
Treat as suspicious; obtain Classic Paint from an official channel and avoid running this archive.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 74.125.26.84
- 68.183.112.81
- 172.217.193.94
- 239.255.255.250
- 224.0.0.251
- 173.194.194.84
- 142.251.120.100
- 192.0.77.48
- 74.125.69.155
- 192.229.210.155
- http://www.gstatic.com/generate_204
- C:\Program Files\Classic Paint\unins000.exe
- C:\Program Files\Classic Paint\mspaint1.exe
- C:\Program Files\chrome_BITS_5888_1293904732\obedbbhbpmojnkanicioggnmelmoomoc_20230923.567854667.14_all_ENUS500000_ace7f54yxy3vtmc2mjkr5yii7sta.crx3
- C:\Program Files\chrome_BITS_5888_730484888\niikhdgajlphfehepabhhblakbdgeefj_2024.04.29.00_all_mn6yulfmndoow7mpjbjzepf3nm.crx3
- C:\Users\<USER>\AppData\Local\Temp\is-NT581.tmp\ClassicPaint-1.1-setup.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-4J9HN.tmp\ClassicPaint-1.1-setup.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-4J9HN.tmp
- C:\Program Files\Classic Paint\is-DKCAQ.tmp
- C:\Program Files\Classic Paint\is-IR5GM.tmp
- C:\Program Files\Classic Paint\mspaint1.exe
- Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- cversions.3.m
- Local\SessionImmersiveColorMutex
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 602b43ef7df5db9797a5…58ac80Never scannednever seen before
- f75c291b4d897d9d09b2…e89e2dNever scannednever seen before
- 5f847d2e00d0eb9b8690…a893e5Never scannednever seen before
- 8cb833520093a7dbbe7e…82377fNever scannednever seen before
- 8307c20fc4aafd5d1ac9…ccebbcNever scannednever seen before
- 53733282cc5e184eaa83…0f614bNever scannednever seen before
- 388a796580234efc95f3…136f95Never scannednever seen before
- b32b4f5f3fd0144d7e61…422fa3Never scannednever seen before
- 7b4d6761839cea9f5fc5…cf1849Never scannednever seen before
- 2993cf6d89ef1ab63946…b1beefNever scannednever seen before
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 18 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence74.125.26.84 · 68.183.112.81 · 172.217.193.94
0 detections across 74 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- ClassicPaint.zip
- Size
- 4.07 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- fe64c7ab3ef7daf4fb576ee2a1d9a7c2aec2ce01154293f31e51a5dd4a72b4d2
- MD5
- b87c81e588571d81438144b903d2c317
- SHA-1
- 4c326a68166f609d547cf8fd5372aa05643dfdde
- First seen (VT)
- 12/8/2022, 7:50:51 AM
- Last analysis (VT)
- 7/6/2026, 8:30:35 AM
- First scan (MalwareTips)
- 7/9/2026, 5:15:48 AM
- Last scan (MalwareTips)
- 7/9/2026, 5:15:48 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.