File verdict·Decided by the MT AI Engine
Our call

Safe

Legitimate Rufus 4.13 USB boot tool from Akeo Consulting: official release verified on rufus.ie with matching hash, size, signature; single Bkav false positive ignored as all tier-1 engines clean.

Verified · Akeo Consulting
Trust score8Critical
rufus-4.13.exe
1.9 MB
a314db019d608e3d9b080eb13b1b
Antivirus engines
1 of 76 flagged
Code signing
Signed by Akeo Consulting
Age
First seen 5mo ago
MT AI Engine · Verdict analysis

The reasoning behind this verdict

The MT AI Engine weighs every signal from this scan — antivirus detections, sandbox behaviour, code signing, prevalence and historical matches — to reach a single, evidence-based verdict.

95%Confidence
Very high
Reasoning

rufus-4.13.exe claims to be Rufus version 4.13, a popular utility for formatting USB drives and making them bootable from ISOs, signed by Akeo Consulting on the official release date. Our AV partners show just one low-trust detection from Bkav using the generic 'W64.AIDetectMalware' label, while 17 tier-1 engines like BitDefender, Kaspersky, and ESET reported clean; Bkav often produces false positives on legitimate packed utilities. Sandbox behavior aligns perfectly with Rufus: UPX packing, USB bus checks, mutex 'Global/Rufus', temp files, and outbound to rufus.ie/GitHub for updates—no malicious drops or persistence. No threat intel hits, positive reputation, and confirmed official hash seal it as clean software.

Points in its favour
  • Valid Authenticode signature by Akeo Consulting, confirmed publisher of Rufus via official rufus.ie site.
  • Exact file matches official Rufus 4.13 release: filename, 1.9MB size, Feb 17 2026 date, and SHA-256 hash.
  • All 17 tier-1 engines (BitDefender, Kaspersky, ESET, etc.) reported undetected.
  • Sandbox activity consistent with Rufus: USB enumeration, contacts to rufus.ie and GitHub releases, branded mutex 'Global/Rufus'.
  • Positive reputation score of 7, medium prevalence from 17k+ legitimate submissions, no external threat intel hits.
Points against
  • One low-trust engine (Bkav) detected 'W64.AIDetectMalware', a generic AI/heuristic alert prone to false positives on packed executables.
  • Network tags include 'detect-debug-environment' and 'upx', which can appear in both malware and legitimate protected software.
Recommended action

Always download Rufus from the official rufus.ie website and confirm the SHA-256 hash is a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b. Run it normally—it's a trusted tool for bootable USB creation.

What to do now

This file looks safe based on everything we checked.

  1. This file is safe to use.

  2. Good habit: only download files from the official website or an app store.

  3. Keep your antivirus and Windows updates switched on so you stay protected.

Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Verdict treated these as likely false positives.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
14

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027· Obfuscated codeT1027.002· Obfuscated codeT1036T1070· Covers its tracksT1070.006· Covers its tracksT1071· Remote server (C2)T1082· System reconT1083· Scans your filesT1091· USB spreadingT1112T1120T1129· Loads modulesT1562· Disables securityT1562.001· Disables security
Spawned processes
4
$(unnamed)
"C:\Users\<USER>\Desktop\rufus-4.13.exe"
$(unnamed)
"C:\Users\user\Desktop\rufus-4.13.exe"
$(unnamed)
C:\Windows\System32\vdsldr.exe -Embedding
$(unnamed)
C:\Windows\System32\vds.exe
Network activity
27
IP addresses8
  • 185.199.109.153
  • 104.18.21.213
  • 140.82.114.3
  • 185.199.108.133
  • 140.82.112.6
  • 224.0.0.251
  • 224.0.0.252
  • 162.159.36.2
URLs19
  • http://r13.c.lencr.org/79.crl
  • https://rufus.ie/sbat_level.txt
  • https://rufus.ie/sb_active.txt
  • https://rufus.ie/sb_revoked.txt
  • https://rufus.ie/Fido.ver
  • https://github.com/pbatard/Fido/releases/download/v1.68/Fido.ps1.lzma
+13 more
Filesystem & mutexes
11
Files written7
  • \Device\ConDrv\Connect
  • C:\Users\<USER>\AppData\Local\Temp\RufC718.tmp
  • C:\Windows\System32\GroupPolicy\gpt.ini
  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
  • C:\Users\user\AppData\Local\Temp\Ruf973.tmp
+2 more
Mutexes created4
  • Global/Rufus
  • \Sessions\1\BaseNamedObjects\DBWinMutex
  • \Sessions\1\BaseNamedObjects\Global/Rufus
  • \BaseNamedObjects\Local\SM0:5936:304:WilStaging_02
Dropped payload

Files this sample writes at runtime

This file drops 2 children at runtime. None are currently flagged malicious in our cache.

2 unseen
  • b6c5f5b2e2499fceb92e92aafcNever scanned
    never seen before
  • 14694dbee3897b6bd5aae8e579Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA & heuristic rule matches

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Execution× 1C2× 1
MalwareTips synthesis rules
Our own detection rules, applied to the scan data and sandbox behaviour
  • DirectIpC2medium

    Sample contacted 6 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    185.199.109.153 · 104.18.21.213 · 140.82.114.3
  • DropperNetworkProfilehigh

    Packed PE with sandbox-observed network activity AND engine flags. Signed packed software exists legitimately, but a signed + packed + flagged binary is a signed dropper pattern.

    Evidence
    http://r13.c.lencr.org/79.crl
Antivirus engine breakdown

1 detection across 76 engines

1 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-241 engines
0flag
Mainstream engines with mixed FP rates
Low-trust18 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Bkav
malicious
W64.AIDetectMalware
Hash a314db019d60… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

ent 7.62Likely packed
Section entropy3 sections
UPX0
0.00
UPX1
8.00packed
.rsrc
3.93
0.0Packed threshold 7.28.0
Prevalence

How widely this file has been seen

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
3,719
Hundreds of people have uploaded this — common.
Total submissions
17,565
Includes repeat uploads by the same source.
First seen
5mo ago
Feb 17, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
2/17/2026, 3:14:07 PM
First seen (MalwareBazaar)
Last analysis (VT)
4/23/2026, 11:49:29 PM
Scanned here
4/24/2026, 12:13:51 AM
File name
rufus-4.13.exe
Size
1.86 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b
MD5
d9c4cd467677e8bb23d8d1c2350e08e3
SHA-1
29c86660baa994db07599166209006708252081f
PE imphash
93f5418d49b9d5fa371bd3c33af0387b
First seen (VT)
2/17/2026, 3:14:07 PM
Last analysis (VT)
4/23/2026, 11:49:29 PM
First scan (MalwareTips)
4/21/2026, 2:12:17 PM
Last scan (MalwareTips)
4/24/2026, 12:13:51 AM
Code signer
Akeo Consultingverified
Community reputation
+7trusted
Behavior tags
overlayupxcorruptchecks-usb-busdetect-debug-environmentcalls-wmipeexesigned64bits
Frequently asked

Safety FAQ

Common questions about rufus-4.13.exe, answered from the scan data above.

  • rufus-4.13.exe appears safe. 75 of 76 antivirus engines report it clean, with only 1 low-confidence detection that read as false positives. It carries a verified digital signature from Akeo Consulting. As a habit, only run files you downloaded from the official source, since attackers sometimes distribute trojanised copies of legitimate software under the same name.
  • rufus-4.13.exe is a Windows executable program, about 1.9 MB. Our analysis found no threat indicators for it. It carries a verified digital signature from Akeo Consulting. A file's name can be reused by different files, so we identify it by its cryptographic hash (below).
  • 1 of 76 antivirus engines flagged rufus-4.13.exe, 1 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
  • Yes — rufus-4.13.exe carries a valid digital signature from Akeo Consulting, which confirms the file hasn't been tampered with since that publisher signed it. A valid signature is a positive signal, but note that malware is occasionally signed with stolen or abused certificates, so it isn't proof of safety on its own.
  • The SHA-256 hash of rufus-4.13.exe is a314db019d608e3d9b2eda797ba5bbe4dfc91bcd621decd144a580080eb13b1b, and its MD5 is d9c4cd467677e8bb23d8d1c2350e08e3. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
  • Based on this scan, yes — rufus-4.13.exe shows no threat indicators and is properly signed. The important caveat is source: make sure you downloaded it from the official website or a trusted store, because attackers sometimes distribute malware-laced copies under a legitimate file's name. If your own antivirus flags it while we report it clean, that is most often a false positive, but verify the source before overriding your antivirus.
  • This report reflects the scan run on April 21, 2026. Because a file's hash never changes, the identity of rufus-4.13.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scanned by
harlan4096Staff
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.