MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Legitimate Rufus 4.13 USB boot tool from Akeo Consulting: official release verified on rufus.ie with matching hash, size, signature; single Bkav false positive ignored as all tier-1 engines clean.

Verified · Akeo Consulting
Trust score8Critical
MT AI confidence · 95%
rufus-4.13.exe
1.9 MB
a314db019d608e3d9b080eb13b1b
Antivirus engines
1 of 76 flagged
Code signing
Signed by Akeo Consulting
Age
First seen 4mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

95%Confidence
Very high
Reasoning

rufus-4.13.exe claims to be Rufus version 4.13, a popular utility for formatting USB drives and making them bootable from ISOs, signed by Akeo Consulting on the official release date. Our AV partners show just one low-trust detection from Bkav using the generic 'W64.AIDetectMalware' label, while 17 tier-1 engines like BitDefender, Kaspersky, and ESET reported clean; Bkav often produces false positives on legitimate packed utilities. Sandbox behavior aligns perfectly with Rufus: UPX packing, USB bus checks, mutex 'Global/Rufus', temp files, and outbound to rufus.ie/GitHub for updates—no malicious drops or persistence. No threat intel hits, positive reputation, and confirmed official hash seal it as clean software.

Points in its favour
  • Valid Authenticode signature by Akeo Consulting, confirmed publisher of Rufus via official rufus.ie site.
  • Exact file matches official Rufus 4.13 release: filename, 1.9MB size, Feb 17 2026 date, and SHA-256 hash.
  • All 17 tier-1 engines (BitDefender, Kaspersky, ESET, etc.) reported undetected.
  • Sandbox activity consistent with Rufus: USB enumeration, contacts to rufus.ie and GitHub releases, branded mutex 'Global/Rufus'.
  • Positive reputation score of 7, medium prevalence from 17k+ legitimate submissions, no external threat intel hits.
Points against
  • One low-trust engine (Bkav) detected 'W64.AIDetectMalware', a generic AI/heuristic alert prone to false positives on packed executables.
  • Network tags include 'detect-debug-environment' and 'upx', which can appear in both malware and legitimate protected software.
What to do

Always download Rufus from the official rufus.ie website and confirm the SHA-256 hash is a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b. Run it normally—it's a trusted tool for bootable USB creation.

Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Verdict treated these as likely false positives.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
14

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1036T1070T1070.006T1071T1082T1083T1091T1112T1120T1129T1562T1562.001
Spawned processes
4
$(unnamed)
"C:\Users\<USER>\Desktop\rufus-4.13.exe"
$(unnamed)
"C:\Users\user\Desktop\rufus-4.13.exe"
$(unnamed)
C:\Windows\System32\vdsldr.exe -Embedding
$(unnamed)
C:\Windows\System32\vds.exe
Network activity
27
IP addresses8
  • 185.199.109.153
  • 104.18.21.213
  • 140.82.114.3
  • 185.199.108.133
  • 140.82.112.6
  • 224.0.0.251
  • 224.0.0.252
  • 162.159.36.2
URLs19
  • http://r13.c.lencr.org/79.crl
  • https://rufus.ie/sbat_level.txt
  • https://rufus.ie/sb_active.txt
  • https://rufus.ie/sb_revoked.txt
  • https://rufus.ie/Fido.ver
  • https://github.com/pbatard/Fido/releases/download/v1.68/Fido.ps1.lzma
+13 more
Filesystem & mutexes
11
Files written7
  • \Device\ConDrv\Connect
  • C:\Users\<USER>\AppData\Local\Temp\RufC718.tmp
  • C:\Windows\System32\GroupPolicy\gpt.ini
  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
  • C:\Users\user\AppData\Local\Temp\Ruf973.tmp
+2 more
Mutexes created4
  • Global/Rufus
  • \Sessions\1\BaseNamedObjects\DBWinMutex
  • \Sessions\1\BaseNamedObjects\Global/Rufus
  • \BaseNamedObjects\Local\SM0:5936:304:WilStaging_02
Dropped payload

Files this sample writes at runtime

This file drops 2 children at runtime. None are currently flagged malicious in our cache.

2 unseen
  • b6c5f5b2e2499fceb92e92aafcNever scanned
    never seen before
  • 14694dbee3897b6bd5aae8e579Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Execution× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 6 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    185.199.109.153 · 104.18.21.213 · 140.82.114.3
  • DropperNetworkProfile
    T1105T1027
    high

    Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.

    Evidence
    http://r13.c.lencr.org/79.crl
Antivirus engine breakdown

1 detection across 76 engines

1 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust21 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Bkav
malicious
W64.AIDetectMalware
Hash a314db019d60… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

ent 7.62Likely packed
Section entropy3 sections
UPX0
0.00
UPX1
8.00packed
.rsrc
3.93
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
3,719
Hundreds of people have uploaded this — common.
Total submissions
17,565
Includes repeat uploads by the same source.
First seen by VT
4mo ago
Feb 17, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
2/17/2026, 3:14:07 PM
First seen (MalwareBazaar)
Last analysis (VT)
4/23/2026, 11:49:29 PM
Scanned here
4/24/2026, 12:13:51 AM
File name
rufus-4.13.exe
Size
1.86 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b
MD5
d9c4cd467677e8bb23d8d1c2350e08e3
SHA-1
29c86660baa994db07599166209006708252081f
PE imphash
93f5418d49b9d5fa371bd3c33af0387b
First seen (VT)
2/17/2026, 3:14:07 PM
Last analysis (VT)
4/23/2026, 11:49:29 PM
First scan (MalwareTips)
4/21/2026, 2:12:17 PM
Last scan (MalwareTips)
4/24/2026, 12:13:51 AM
Code signer
Akeo Consultingverified
Community reputation
+7trusted
Behavior tags
overlayupxcorruptchecks-usb-busdetect-debug-environmentcalls-wmipeexesigned64bits
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scanned by
harlan4096Staff
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.