File verdict·Decided by the MT AI Engine
Our call

Safe

TFTP utility with 18-year prevalence, zero tier-1 detections, and legitimate protocol-specific network behaviour.

Trust score88High trust
MT AI confidence · 82%
tftp.EXE
44.4 KB
acdff00ece50f2eb8a8b9d05a84f
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 18y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

The file shows no malicious detections from any of the 17 tier-1 antivirus engines (Kaspersky, BitDefender, ESET-NOD32, Avast, Fortinet, and others), despite 18 years of prevalence and 212 submissions from 180 unique sources. The triggered DirectIpC2 heuristic is a false positive: TFTP is a protocol that legitimately uses direct IP communication for file transfer operations and does not require DNS resolution. The CIRCL reference to malshare.com is a low-trust (score 30) research archive hit, not a malware confirmation. All detected MITRE techniques (T1016, T1071, T1082) are ambient/benign. No malicious sandbox verdicts, dropped children, or contacted malicious hosts were observed. The file is unsigned but its long history and lack of tier-1 detections indicate legitimate legacy software.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=0; 17 tier-1 engines (Kaspersky, BitDefender, ESET-NOD32, Avast, Fortinet, etc.) all undetected

  2. prevalence: common_old — 180 unique submitters, 212 submissions since 2008-03-31 (18 years)

  3. MITRE techniques: T1016, T1071, T1071.001, T1082 — all ambient/benign; offensiveCount=0

  4. contacted IPs include Microsoft Azure ranges (52.185.73.156, 20.99.133.109, 20.69.140.28) — legitimate infrastructure

  5. CIRCL hit with trust=30 (low); knownMalicious='malshare.com' is a research archive, not a malware confirmation

Points in its favour
  • Zero tier-1 antivirus detections across 17 high-trust engines
  • 18-year prevalence (212 submissions, 180 unique sources) without mass malicious reports
  • All MITRE techniques are ambient/benign; no offensive techniques detected
  • No malicious sandbox verdicts, dropped children, or malicious host contacts
  • Normal PE entropy and no packing indicators; legitimate file structure
Points against
  • DirectIpC2 heuristic fired — but TFTP legitimately uses direct IP communication without DNS
  • Unsigned executable — however, 18-year prevalence and zero tier-1 detections mitigate this
  • CIRCL research archive reference — low-trust indicator, not a malware confirmation
What to do

This file is safe to use. It is a legitimate TFTP utility with 18 years of prevalence and zero tier-1 antivirus detections. The DirectIpC2 heuristic is a false positive caused by TFTP's protocol-specific direct-IP communication pattern.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
4

Adversary techniques mapped to the MITRE ATT&CK framework.

T1016T1071T1071.001T1082
Spawned processes
4
$(unnamed)
%SAMPLEPATH%\tftp.EXE
$(unnamed)
%SAMPLEPATH%\acdff00ece50f2eb8ad15c5c531121acc5fa932c742e1ef31ff7c98b9d05a84f.exe
$(unnamed)
C:\Windows\System32\UI0Detect.exe
$(unnamed)
C:\Program Files\Google3092_887717611\bin\updater.exe
Network activity
10
IP addresses10
  • 8.59.4.126
  • a83f:8110:0:0:1b00:100:2800:0
  • 192.168.0.5
  • 23.40.197.184
  • 52.185.73.156
  • 20.99.133.109
  • a83f:8110:4646:4646:4646:4646:4646:4646
  • 23.46.228.41
  • 23.196.145.221
  • 20.69.140.28
Filesystem & mutexes
11
Files deleted4
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2064.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2075.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2086.tmp.txt
  • C:\Windows\System32\spp\store\2.0\cache\cache.dat
Mutexes created7
  • CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
+2 more
External threat intelligence

1 corroborating signal from researcher-curated sources

CIRCL hashlookup HIT·indexed as known-malicious·trust 30/100View on CIRCL
Also flagged as malicious by malshare.com. The reference-DB hit is not a clean signal on its own — the verdict defers to VT, AI, and the abuse.ch sources.
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2medium

    Sample contacted 9 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    8.59.4.126 · a83f:8110:0:0:1b00:100:2800:0 · 23.40.197.184
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-240 engines
0flag
Mainstream engines with mixed FP rates
Low-trust17 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash acdff00ece50… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 5.36Unpacked
Section entropy4 sections
.text
5.53
.rdata
4.19
.data
0.31
.rsrc
3.00
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
180
Hundreds of people have uploaded this — common.
Total submissions
212
Includes repeat uploads by the same source.
First seen by VT
18y ago
Mar 30, 2008
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
3/30/2008, 9:36:26 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/20/2026, 12:33:34 AM
Scanned here
7/8/2026, 12:20:51 AM
File name
tftp.EXE
Size
44.4 KB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
acdff00ece50f2eb8ad15c5c531121acc5fa932c742e1ef31ff7c98b9d05a84f
MD5
ee665224ee8b19ba66b8578dd471e0a8
SHA-1
3ce7f797dc3d4505a513fb42d2580c765a5011bc
PE imphash
bc122750e862ddf28b7587d4792432e4
First seen (VT)
3/30/2008, 9:36:26 PM
Last analysis (VT)
6/20/2026, 12:33:34 AM
First scan (MalwareTips)
7/7/2026, 7:06:33 PM
Last scan (MalwareTips)
7/8/2026, 12:20:51 AM
Community reputation
+4trusted
Behavior tags
checks-user-inputruntime-modulesdirect-cpu-clock-accessoverlayarmadillopeexe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.