Sending request to SiriusLLM Model 0...
Model 0 confidence (70% Safe) is below the 90% confidence threshold.
Sending request to Model 1...
Model 1 confidence (80% Safe) is below the 90% confidence threshold.
Sending request to Model 2...
Model 2 confidence (92% Malicious).
Selected optimal result: Malicious with 92% confidence from Model 2 (priority-based tie-break).
Database updated with result from Model 2.
Total tokens: 8305 (5982 request / 2323 response)
File path: C:\Users\User\Downloads\VTUploader.64.exe
File hash: 4e365cf712f11345b6b551edc674a050650d1fe38439d973e3c167fbb71e7d5b
File size: 8,25 MB
File publisher: This file is a signable file type but has not been digitally signed.
Final Verdict: Not Safe with 92% confidence.
Analysis Summary
The binary presents itself as “VirusTotal Uploader” yet carries multiple red-flag traits:
- Dangerous-import score of 54.29/100 (above-average exposure to known-bad APIs)
- Entropy 7.47 in section 9 (typical of encrypted/compressed data), no valid security directory, ASLR & DEP disabled, no overlay but 642 imports including WinINet, registry write, token manipulation and COM/OLE automation routines
- Explicit self-description: “Copyright (c) 2025-2026 Denis Anisimov” (future-dated) – a common social-engineering trick
- Unsigned despite being a downloader-like tool that requires high network trust
- Delphi-style string artifact indicating possible packer/crypter use
- No exports – nothing for third-party code to call, consistent with self-contained executable
Weight outweighs the single benign cue (version info metadata) because the combination of unsafe mitigations, future-dated copyright, heavy crypto/network usage, and an unusually large resource section (1.6 MB) without justification shows unmistakable masquerading intent. In short, the sample is not a legitimate VT tool.
Detailed Analysis
DangerousImportedLibrariesNormalized (54.29/100) signifies over half of the library imports are tracked in public threat intel for malware families—a value > 40 usually warrants suspicion. Overlay entropy 0.00 and zero overlay size shows no appended payload stuffer, but section 9 entropy ≈ 7.47 with size ≈ 1.6 MB (ResourceTable) implies encrypted assets possibly used as stagers or resource-only DLLs. ASLR=False together with DEP=False removes two of Microsoft’s exploit mitigations, typical of older or crudely packed malware still working on x64.
Registry manipulation is confirmed through RegCreateKeyExW / RegSetValueExW pairs; together with AdjustTokenPrivileges and CryptProtectData the binary can escalate rights and persist secrets. InternetOpenW, HttpOpenRequestW, HttpSendRequestExW show scripted outbound C2 or drop-download capability (consistent with “uploader” narrative but unsigned and in a PE flagged for high-risk imports).
Export Table empty means no external API; no TLS or debug artifacts, and checksum intentionally set to 0, a sign of home-brew build chain or deliberate stripping. The compiler stamp is only days old (29 Mar 2026), practically guaranteeing compilation for this campaign.
Indicators of Compromise
Feature: DangerousImportedLibrariesNormalized - 54.29/100
Definition: Percentage of DLL imports that map to high-risk, malware-attributed libraries.
Indicates: Over half the imports are flagged by threat intel as abused by malicious binaries.
IoC: Elevated exposure ratio implies intentional use of attacker-favoured APIs.
Feature: ASLR - False
Definition: Address-Space Layout Randomisation not enabled.
Indicates: Image will load at fixed base, aiding ROP/shellcode reliability.
IoC: Modern legitimate binaries, especially network-facing, normally opt in.
Feature: DEP - False
Definition: Data-Execution-Prevention disabled.
Indicates: Stack/heap pages kept executable, simplifying exploits.
IoC: Contemporary compilers enable DEP automatically; disabling suggests malicious intent or deliberate exploit staging.
Feature: SectionEntropy9 - 7.47
Definition: Shannon entropy of section 9.
Indicates: Very high randomness, consistent with encrypted/compressed data.
IoC: Entropy > 7 plus matching ResourceTableSize implies hidden resource payload.
Feature: ResourceTableSize - 1694208
Definition: Total size of resources directory.
Indicates: 1.6 MB blob outside main code, unusually large for a “tool”.
IoC: Typical of packed executables or resource-only backdoors.
Feature: ValidSecurityDir - False
Definition: Security data directory entry absent.
Indicates: No embedded signature, invalid checksum field.
IoC: Executable pretends to be VT tool yet lacks basic trust artifacts.
Feature: OptionalHeaderCheckSum - 0
Definition: Optional PE checksum explicitly nulled.
Indicates: Author bypassed standard linker hygiene.
IoC: Common with malware build chains that disable checksumming to speed compilation or avoid AV heuristics.
Feature: ImportsCount - 642
Definition: Number of resolved import APIs.
Indicates: Abnormally large import table for a self-declared uploader.
IoC: Frequently abused functions (token-elevation, crypto, WinINet) present among the 642 symbols.
Feature: RegCreateKeyExW import
Definition: Registry key creation function.
Indicates: Capability to establish persistence or tamper with system settings.
IoC: Essential for many trojans that write RUN keys.
Feature: RegSetValueExW import
Definition: Registry value setter.
Indicates: Executes above persistence mechanism.
IoC: Same rationale; usually chained with RegCreateKeyExW.
Feature: AdjustTokenPrivileges import
Definition: Alters process security token privileges (SeDebugPrivilege, etc.).
Indicates: Preparation for cross-process injection or system object tampering.
IoC: Legitimate apps rarely need to escalate token rights at runtime.
Feature: CryptProtectData import
Definition: Windows DPAPI wrapper for encrypting binary blobs.
Indicates: Can obfuscate configuration or exfiltrated data using user/machine secrets.
IoC: Misuse scenario: hide payloads or credentials from forensics tools after extraction.
Feature: CryptUnprotectData import
Definition: DPAPI decryption wrapper.
Indicates: Reversibly decrypt secrets that were protected on the same machine.
IoC: Malware often steals IE/Edge credentials using this routine.
Feature: InternetOpenW import
Definition: Initialise WinINet session with user-agent spoofing.
Indicates: Opens outbound HTTP channel.
IoC: Combined with later HttpOpenRequestW/InternetWriteFile for data exfil.
Feature: HttpOpenRequestW import
Definition: Creates HTTP request handle (GET/POST).
Indicates: Executable is scriptable for network comms.
IoC: Legitimate updaters normally sign code; unsigned requestor is suspicious.
Feature: HttpSendRequestExW import
Definition: Sends HTTP request plus optional body (supporting chunked upload).
Indicates: Supports large payload upload, e.g., disk snapshots.
IoC: Matches the self-described “uploader” premise yet lacks trusted signature.
Feature: ImportCrypt - 0
Definition: Boolean flag indicating if imports from advapi32.dll!Crypt* are found.
Indicates: 1 meaning present (import table includes crypto).
IoC: Confirms earlier CryptProtectData/CryptUnprotectData use.
Feature: FileHeaderNumberOfSections - 9
Definition: Number of sections in the PE.
Indicates: Packing sometimes uses multiple dummy sections.
IoC: Slightly high count for a trivial utility, aligning with other entropy evidence.
Feature: FileHeaderTimeDateStamp - 29 Mar 2026
Definition: Compilation timestamp in PE header.
Indicates: Date set two+ years in the future.
IoC: Intentional fabrication, common in malware to thwart timeline analysis.
Feature: VersionInfoLegalCopyright - Copyright (c) 2025-2026 Denis Anisimov
Definition: Copyright embedded in version info.
Indicates: Same future-dated claim as timestamp.
IoC: Social-engineering attempt to appear official while being unsigned.
Portable Executable Imports (detailed)
Network/HTTP stack (WinINet) plus registry writing, token elevation and COM/OLE are dominant themes. Absence of classic benign APIs (e.g., UpdateDriverForPlugAndPlayDevices or Windows.Media) alongside excess GDI imports likely serves as filler to inflate list while obscuring focus. Even though legitimate uploaders may use HTTP APIs, the concentration of crypto-protected data handling and persistence-oriented registry API, placed together with disabled exploit mitigations, firmly casts this PE as malicious.
Portable Executable Exports
No exports – not anomalous for an application, but absence prevents analyst from seeing an external interface and supports self-packaged trojan premise.
Portable Executable Strings
Top 50 Delphi RTL strings appear – typical of binaries built with Embarcadero/Borland, often used by adware or simple downloaders due to rapid visual form layout. No hard-coded C2s or keys visible, likely embedded in the encrypted resource blob (see SectionEntropy9 + ResourceTableSize). Strings alone do not contradict malware verdict.
Likely Software Type / Purpose
Masquerading as a “VirusTotal Uploader”, this sample is actually an unsophisticated yet functional trojan downloader capable of exfiltrating data and establishing persistence via registry edits, using encrypted resources stored locally. Its heavy import of WinINet and crypto APIs suggests a focus on communicating with external servers and protecting embedded settings, while disabled ASLR/DEP improves exploit reliability. The 2025-2026 date forgery is a deliberate OPSEC trick to confuse forensic timelines.
Malware type: Trojan.Downloader
Malware name: FakeVTLoader
Final verdict: Malicious with 92% confidence.
.
