Safe
TFTP utility with 18-year prevalence, zero tier-1 detections, and legitimate protocol-specific network behaviour.
acdff00ece50f2eb8a…8b9d05a84fThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file shows no malicious detections from any of the 17 tier-1 antivirus engines (Kaspersky, BitDefender, ESET-NOD32, Avast, Fortinet, and others), despite 18 years of prevalence and 212 submissions from 180 unique sources. The triggered DirectIpC2 heuristic is a false positive: TFTP is a protocol that legitimately uses direct IP communication for file transfer operations and does not require DNS resolution. The CIRCL reference to malshare.com is a low-trust (score 30) research archive hit, not a malware confirmation. All detected MITRE techniques (T1016, T1071, T1082) are ambient/benign. No malicious sandbox verdicts, dropped children, or contacted malicious hosts were observed. The file is unsigned but its long history and lack of tier-1 detections indicate legitimate legacy software.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Kaspersky, BitDefender, ESET-NOD32, Avast, Fortinet, etc.) all undetected
prevalence: common_old — 180 unique submitters, 212 submissions since 2008-03-31 (18 years)
MITRE techniques: T1016, T1071, T1071.001, T1082 — all ambient/benign; offensiveCount=0
contacted IPs include Microsoft Azure ranges (52.185.73.156, 20.99.133.109, 20.69.140.28) — legitimate infrastructure
CIRCL hit with trust=30 (low); knownMalicious='malshare.com' is a research archive, not a malware confirmation
- Zero tier-1 antivirus detections across 17 high-trust engines
- 18-year prevalence (212 submissions, 180 unique sources) without mass malicious reports
- All MITRE techniques are ambient/benign; no offensive techniques detected
- No malicious sandbox verdicts, dropped children, or malicious host contacts
- Normal PE entropy and no packing indicators; legitimate file structure
- DirectIpC2 heuristic fired — but TFTP legitimately uses direct IP communication without DNS
- Unsigned executable — however, 18-year prevalence and zero tier-1 detections mitigate this
- CIRCL research archive reference — low-trust indicator, not a malware confirmation
This file is safe to use. It is a legitimate TFTP utility with 18 years of prevalence and zero tier-1 antivirus detections. The DirectIpC2 heuristic is a false positive caused by TFTP's protocol-specific direct-IP communication pattern.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 8.59.4.126
- a83f:8110:0:0:1b00:100:2800:0
- 192.168.0.5
- 23.40.197.184
- 52.185.73.156
- 20.99.133.109
- a83f:8110:4646:4646:4646:4646:4646:4646
- 23.46.228.41
- 23.196.145.221
- 20.69.140.28
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2064.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2075.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2086.tmp.txt
- C:\Windows\System32\spp\store\2.0\cache\cache.dat
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
1 corroborating signal from researcher-curated sources
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 9 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence8.59.4.126 · a83f:8110:0:0:1b00:100:2800:0 · 23.40.197.184
0 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- tftp.EXE
- Size
- 44.4 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- acdff00ece50f2eb8ad15c5c531121acc5fa932c742e1ef31ff7c98b9d05a84f
- MD5
- ee665224ee8b19ba66b8578dd471e0a8
- SHA-1
- 3ce7f797dc3d4505a513fb42d2580c765a5011bc
- PE imphash
- bc122750e862ddf28b7587d4792432e4
- First seen (VT)
- 3/30/2008, 9:36:26 PM
- Last analysis (VT)
- 6/20/2026, 12:33:34 AM
- First scan (MalwareTips)
- 7/7/2026, 7:06:33 PM
- Last scan (MalwareTips)
- 7/8/2026, 12:20:51 AM
- Community reputation
- +4trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.