Safe
Legitimate Rufus 4.13 USB boot tool from Akeo Consulting: official release verified on rufus.ie with matching hash, size, signature; single Bkav false positive ignored as all tier-1 engines clean.
a314db019d608e3d9b…080eb13b1bThe reasoning behind this verdict
The MT AI Engine weighs every signal from this scan — antivirus detections, sandbox behaviour, code signing, prevalence and historical matches — to reach a single, evidence-based verdict.
rufus-4.13.exe claims to be Rufus version 4.13, a popular utility for formatting USB drives and making them bootable from ISOs, signed by Akeo Consulting on the official release date. Our AV partners show just one low-trust detection from Bkav using the generic 'W64.AIDetectMalware' label, while 17 tier-1 engines like BitDefender, Kaspersky, and ESET reported clean; Bkav often produces false positives on legitimate packed utilities. Sandbox behavior aligns perfectly with Rufus: UPX packing, USB bus checks, mutex 'Global/Rufus', temp files, and outbound to rufus.ie/GitHub for updates—no malicious drops or persistence. No threat intel hits, positive reputation, and confirmed official hash seal it as clean software.
- Valid Authenticode signature by Akeo Consulting, confirmed publisher of Rufus via official rufus.ie site.
- Exact file matches official Rufus 4.13 release: filename, 1.9MB size, Feb 17 2026 date, and SHA-256 hash.
- All 17 tier-1 engines (BitDefender, Kaspersky, ESET, etc.) reported undetected.
- Sandbox activity consistent with Rufus: USB enumeration, contacts to rufus.ie and GitHub releases, branded mutex 'Global/Rufus'.
- Positive reputation score of 7, medium prevalence from 17k+ legitimate submissions, no external threat intel hits.
- One low-trust engine (Bkav) detected 'W64.AIDetectMalware', a generic AI/heuristic alert prone to false positives on packed executables.
- Network tags include 'detect-debug-environment' and 'upx', which can appear in both malware and legitimate protected software.
Always download Rufus from the official rufus.ie website and confirm the SHA-256 hash is a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b. Run it normally—it's a trusted tool for bootable USB creation.
What to do now
This file looks safe based on everything we checked.
This file is safe to use.
Good habit: only download files from the official website or an app store.
Keep your antivirus and Windows updates switched on so you stay protected.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 185.199.109.153
- 104.18.21.213
- 140.82.114.3
- 185.199.108.133
- 140.82.112.6
- 224.0.0.251
- 224.0.0.252
- 162.159.36.2
- http://r13.c.lencr.org/79.crl
- https://rufus.ie/sbat_level.txt
- https://rufus.ie/sb_active.txt
- https://rufus.ie/sb_revoked.txt
- https://rufus.ie/Fido.ver
- https://github.com/pbatard/Fido/releases/download/v1.68/Fido.ps1.lzma
- \Device\ConDrv\Connect
- C:\Users\<USER>\AppData\Local\Temp\RufC718.tmp
- C:\Windows\System32\GroupPolicy\gpt.ini
- C:\Windows\System32\GroupPolicy\Machine\Registry.pol
- C:\Users\user\AppData\Local\Temp\Ruf973.tmp
- Global/Rufus
- \Sessions\1\BaseNamedObjects\DBWinMutex
- \Sessions\1\BaseNamedObjects\Global/Rufus
- \BaseNamedObjects\Local\SM0:5936:304:WilStaging_02
Files this sample writes at runtime
This file drops 2 children at runtime. None are currently flagged malicious in our cache.
- b6c5f5b2e2499fceb92e…92aafcNever scannednever seen before
- 14694dbee3897b6bd5aa…e8e579Never scannednever seen before
YARA & heuristic rule matches
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample contacted 6 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence185.199.109.153 · 104.18.21.213 · 140.82.114.3Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.
Evidencehttp://r13.c.lencr.org/79.crl
1 detection across 76 engines
Section entropy & packers
Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.
How widely this file has been seen
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- rufus-4.13.exe
- Size
- 1.86 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b
- MD5
- d9c4cd467677e8bb23d8d1c2350e08e3
- SHA-1
- 29c86660baa994db07599166209006708252081f
- PE imphash
- 93f5418d49b9d5fa371bd3c33af0387b
- First seen (VT)
- 2/17/2026, 3:14:07 PM
- Last analysis (VT)
- 4/23/2026, 11:49:29 PM
- First scan (MalwareTips)
- 4/21/2026, 2:12:17 PM
- Last scan (MalwareTips)
- 4/24/2026, 12:13:51 AM
- Code signer
- Akeo Consultingverified
- Community reputation
- +7trusted
Safety FAQ
Common questions about rufus-4.13.exe, answered from the scan data above.
- rufus-4.13.exe appears safe. 75 of 76 antivirus engines report it clean, with only 1 low-confidence detection that read as false positives. It carries a verified digital signature from Akeo Consulting. As a habit, only run files you downloaded from the official source, since attackers sometimes distribute trojanised copies of legitimate software under the same name.
- rufus-4.13.exe is a Windows executable program, about 1.9 MB. Our analysis found no threat indicators for it. It carries a verified digital signature from Akeo Consulting. A file's name can be reused by different files, so we identify it by its cryptographic hash (below).
- 1 of 76 antivirus engines flagged rufus-4.13.exe, 1 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- Yes — rufus-4.13.exe carries a valid digital signature from Akeo Consulting, which confirms the file hasn't been tampered with since that publisher signed it. A valid signature is a positive signal, but note that malware is occasionally signed with stolen or abused certificates, so it isn't proof of safety on its own.
- The SHA-256 hash of rufus-4.13.exe is a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b, and its MD5 is d9c4cd467677e8bb23d8d1c2350e08e3. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- Based on this scan, yes — rufus-4.13.exe shows no threat indicators and is properly signed. The important caveat is source: make sure you downloaded it from the official website or a trusted store, because attackers sometimes distribute malware-laced copies under a legitimate file's name. If your own antivirus flags it while we report it clean, that is most often a false positive, but verify the source before overriding your antivirus.
- This report reflects the scan run on April 21, 2026. Because a file's hash never changes, the identity of rufus-4.13.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.