eu0file: d46e2b49 — False positive: legitimate Windows 8.1 mspaint.exe mis-tagged in gcleaner distribution context

Executive Summary

This sample is the legitimate Windows 8.1 RTM mspaint.exe (build 6.3.9600.16384) compiled two days post-RTM on 2013-08-22. No overlay, no appended payload, no suspicious imports, and no C2 strings are present. The OpenCTI labels eu0file and dropped-by-gcleaner appear to be distribution-context artifacts — the binary was likely bundled or referenced by a gcleaner dropper campaign and uploaded to MalwareBazaar under the generic filename file, causing automated taggers to inherit the dropper's labels. Static analysis finds a benign MFC/GDI+ GUI application with standard OS-level API imports and a ~5.6 MB .rsrc section packed with Paint toolbar bitmaps. ^[triage.json] ^[file.txt]

What It Is

The .rsrc section occupies ~5.7 MB (88 % of the file) and contains 801 RT_BITMAP, 152 RT_ICON, 36 RT_STRING, 40 RT_GROUP_ICON, and 16 RT_IMAGE entries — all standard Paint toolbar and menu artwork. ^[pefile.txt] Binwalk confirms embedded PNG toolbars, ICC profiles, and Paint.NET v3.36 metadata in bitmap resources — exactly what you expect from a raster image editor's compiled resources. ^[binwalk.txt]

How It Works

This is not malware. It is the genuine Microsoft Paint application built from the Windows 8.1 RTM source tree. There is no droppper behaviour, no reflective loading, and no network activity. The only "suspicious" indicators are external to the binary itself:

1. OpenCTI tag eu0file — assigned to at least five unrelated binaries in this corpus (a .NET assembly, a stripped x64 PE, a 556 KB x64 PE, a 10 MB x86 PE, and this mspaint.exe). The label carries no consistent build, import, or string fingerprint across samples.
2. Tag dropped-by-gcleaner — the gcleaner umbrella label is applied to any binary found in a gcleaner distribution bundle, including legitimate system utilities used as decoys or lolbins.

The binary's import table is entirely benign: ADVAPI32.dll, KERNEL32.dll, GDI32.dll, USER32.dll, SHELL32.dll, ole32.dll, OLEAUT32.dll, COMDLG32.dll, SHLWAPI.dll, PROPSYS.dll, RPCRT4.dll, WINMM.dll, MFC42u.dll, and delay-loaded gdiplus.dll. ^[pefile.txt] The only "crypto" imports are EncryptFileW and DecryptFileW — EFS APIs — used by Paint's "Save with encryption" menu option.

Decompiled Behavior

Radare2 analysis (level 2, 120 s timeout) recovered 3,728 functions. The entry point at 0x14001d410 (entry0) is a standard MFC42u WinMainCRTStartup-style entry. No anti-debug, no VM checks, no process hollowing stubs, and no InternetOpen/URLDownload patterns were found in the disassembly. ^[rabin2-info.txt]

The delay-import table contains exactly one DLL — gdiplus.dll — with 108 GDI+ flat API entries (GdipCreateBitmapFromScan0, GdiplusStartup, etc.). This is the standard delay-load pattern Microsoft uses for mspaint.exe so that GDI+ is only loaded when image editing features are accessed. ^[pefile.txt:1452]

C2 Infrastructure

None. No hardcoded IPs, domains, URLs, mutices, named pipes, or registry keys for persistence were found in any static artifact. ^[strings.txt] ^[floss.txt] ^[capa.txt]

Interesting Tidbits

• Rich header malformed: The Rich header is present but XOR key and product IDs appear garbled — a common occurrence in Windows RTM-era binaries where the Rich header was zeroed or patched during the build/signing pipeline. ^[pefile.txt]
• Version info masquerade? No. The VS_VERSIONINFO fields claim Microsoft Corporation / MSPAINT.EXE, and every build artifact (timestamp, linker, section layout, RT_BITMAP counts) is fully consistent with the legitimate Windows 8.1 Paint binary.
• No CAPE detonation: Skipped because no Windows guest exists. Even if it had run, the expected behaviour would be "launches Paint, renders blank canvas, exits on X button."
• Filename file: The binary was uploaded to MalwareBazaar with the generic filename file, stripping all contextual clues that would have triggered an automated "legitimate binary" exclusion.

How To Mess With It (Homelab Replication)

Verification against known-good:

# Extract version info
rabin2 -I /tmp/d46e2b49...bin | grep -E "compiled|dbg_file|company|file_desc"
# Expect: compiled Thu Aug 22 10:47:38 2013, dbg_file mspaint.pdb, etc.

# Compare against a known Windows 8.1 mspaint.exe
# Known-good SHA-256 for mspaint.exe (6.3.9600.16384, amd64):
# Search your local Windows ISO or ask Jake for a clean reference.
# If the hashes differ, check for binary patching — this sample is unmodified.

What you'll learn: how automated threat-intel platforms can over-label legitimate system binaries when they appear in malicious distribution bundles, and why every "malware" sample needs a sanity-check against known-good baselines before deep-dive resources are committed.

Deployable Signatures

YARA — "Known-good Windows 8.1 mspaint.exe (RTM build)"

Use this to whitelist or identify when the legitimate Paint binary appears in suspicious contexts.

rule known_good_mspaint_win81_rtm_2013 {
    meta:
        description = "Known-good Windows 8.1 RTM mspaint.exe (6.3.9600.16384)"
        author = "deep-dive-agent"
        date = "2026-06-15"
        hash = "d46e2b499e86af660a5778b64eea5738a5fea32b693dc078b0d2067abf176aec"
        confidence = "high"
    strings:
        $ver1 = "6.3.9600.16384 (winblue_rtm.130821-1623)" ascii wide
        $ver2 = "Microsoft Windows Operating System" ascii wide
        $pdb  = "mspaint.pdb" ascii
        $ico0 = { 89 50 4E 47 0D 0A 1A 0A }     // PNG signature (toolbar icon)
        $ico1 = "Paint.NET v3.36" ascii
    condition:
        uint16(0) == 0x5A4D
        and pe.machine == pe.MACHINE_AMD64
        and pe.OPTIONAL_HEADER.Subsystem == pe.SUBSYSTEM_WINDOWS_GUI
        and pe.timestamp == 0x5215EC4A
        and $ver1
        and $pdb
        and filesize < 7MB
}

IOC List

Behavioral Fingerprint Statement

This binary is a 6.3 MB PE32+ x64 GUI executable with a compile timestamp of 2013-08-22, version 6.3.9600.16384, and an import table limited to standard Windows GUI APIs (GDI32, USER32, SHELL32, MFC42u) plus delay-loaded gdiplus.dll. It contains a ~5.7 MB .rsrc section with 801 bitmap and 152 icon entries. It makes no network connections, creates no suspicious files, and exhibits no anti-analysis behaviour. When found in a malware context, it should be treated as a dropped decoy or bundled legitimate tool rather than a malicious payload.

Detection Signatures

References

• OpenCTI artifact ID: f2be896d-74a9-4f33-80ea-c032b299cebd ^[metadata.json]
• MalwareBazaar source with labels eu0.file, dropped-by-gcleaner ^[triage.json]
• Related entity: gcleaner — umbrella dropper label from which this sample inherited its dropped-by-gcleaner tag
• Other eu0file-tagged samples in corpus: a1090969 (.NET), 1b136372 (stripped x64), 1e36dbcd (556 KB x64), b987be34 (10 MB x86) — none share build or behaviour with this sample, reinforcing the false-positive assessment

Provenance

Report generated from static analysis of d46e2b499e86af660a5778b64eea5738a5fea32b693dc078b0d2067abf176aec. Tools: file (PE32+ x86-64), pefile (section/import/delay-import/version-info parsing), exiftool (VS_VERSIONINFO extraction), strings, binwalk (embedded PNG/artifact detection), radare2 (function analysis, 3728 functions recovered), and manual Python (pefile library for overlay/security-dir/resource-type inspection). No dynamic analysis was performed (CAPE skipped — no Windows guest). Assessment is static-only and should be revisited if CAPE detonation on a Windows guest produces unexpected behaviour.