MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Minecraft Forge installer; 16 tier-1 engines silent; 5,958 submissions over 851 days; DirectIpC2 heuristic fired on legitimate CDN contact.

Trust score88High trust
MT AI confidence · 92%
forge-1.12.2-14.23.5.2859-installer.jar
4.5 MB
dbba1cd1bf34a4b821fdcff15b76
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 2y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The file exhibits a classic benign-software profile: zero malicious detections across 63 engines, with 16 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, Avira, Emsisoft, F-Secure, GData, DrWeb, Avast, AVG) all reporting clean. The filename and version string match Minecraft Forge's official release naming convention. Prevalence data (5,958 submissions, common_old classification, 851 days in circulation) confirms this is an established, widely-distributed software package. The DirectIpC2 heuristic fired because the installer contacted 9 external IPs (Microsoft CDN 13.107.* and Cloudflare 104.21.*, 172.67.*) without DNS queries — a pattern the heuristic flags as C2 evasion. However, this is consistent with legitimate installer resource delivery, not malware command-and-control. Behaviour analysis shows 2 offensive MITRE techniques (T1543.002, T1562.001) paired with 18 ambient techniques typical of Java installers; no malicious sandbox verdict was recorded, and all 10 dropped children are unknown (0 malicious). No external-intel hits, no malicious contacted hosts, no brand mismatch.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. 0/63 engines malicious; tier1Malicious=0; 16 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, Avira, Emsisoft, F-Secure, GData, DrWeb, Avast, AVG) all silent

  2. Filename 'forge-1.12.2-14.23.5.2859-installer.jar' matches Minecraft Forge official release naming; prevalence.classification='common_old' with 5,958 submissions across 3,476 sources over 851 days

  3. triggeredHeuristics: DirectIpC2 fired but contacted IPs are Microsoft CDN (13.107.*) and Cloudflare (104.21.*, 172.67.*) — legitimate resource delivery, not C2 evasion

  4. behaviour.offensiveTechniques=[T1543.002, T1562.001] paired with 18 ambient techniques; no malicious sandbox verdict; 0/10 dropped children malicious

  5. No external-intel hits (yaraify=0, circl=false, malwareBazaar=false); no malicious contacted hosts; no brand mismatch

Points in its favour
  • 16 tier-1 antivirus engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, Avira, Emsisoft, F-Secure, GData, DrWeb, Avast, AVG) all report clean
  • 5,958 submissions across 3,476 unique sources over 851 days — common_old prevalence classification indicates established, widely-trusted software
  • Filename and version string match Minecraft Forge official release naming convention
  • 0 malicious dropped children (10/10 unknown); no malicious sandbox verdict
  • No external-intel hits (YARA, CIRCL, MalwareBazaar); no malicious contacted hosts in our URL cache
What to do

This file is safe. It is the legitimate Minecraft Forge mod loader installer. The DirectIpC2 heuristic alert is a false positive from legitimate CDN contact. Proceed with installation if obtained from the official Minecraft Forge website.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
20

Adversary techniques mapped to the MITRE ATT&CK framework.

T1018T1036T1064T1071T1082T1083T1095T1105T1106T1202T1497T1518.001T1543.002T1562.001T1564T1564.001T1564.003T1573T1574.002T1574.010
Spawned processes
15
$(unnamed)
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\<USER>\Desktop\download.jar"
$(unnamed)
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
$(unnamed)
C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_421\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\download.jar"" >> C:\cmdlinestart.log 2>&…
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
"C:\Program Files\Java\jre1.8.0_421\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\download.jar"
$(unnamed)
C:\Windows\System32\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
$(unnamed)
C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\download.jar"" >> C:\cmdlinestart.log 2>&…
$(unnamed)
"C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\download.jar"
+7 more processes captured.
Network activity
10
IP addresses10
  • 104.21.58.163
  • 13.107.226.70
  • 172.67.161.211
  • 13.107.246.67
  • 13.107.213.38
  • 51.79.83.165
  • 13.107.213.60
  • 13.107.246.38
  • 169.254.169.254
  • 13.107.246.60
Filesystem & mutexes
34
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\2540
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
  • C:\Users\<USER>\Desktop\download.jar.log
  • C:\Users\<USER>\AppData\Local\Temp\imageio6750141799124413593.tmp
  • C:\Program Files (x86)\AutoIt3\download.jar.log
+10 more
Files deleted15
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\1228
  • C:\Users\user\AppData\Local\Temp\imageio111851870505822271.tmp
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\6712
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\1040
  • C:\Users\user\AppData\Local\Temp\imageio1852599542505012653.tmp
+10 more
Mutexes created4
  • \BaseNamedObjects\Local\SM0:5172:304:WilStaging_02
  • \BaseNamedObjects\Local\SM0:5172:120:WilError_03
  • \BaseNamedObjects\Local\ZonesCacheCounterMutex
  • \BaseNamedObjects\Local\ZonesLockedCacheCounterMutex
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 32a5ecc36ae3b1b2e55a5fe244Never scanned
    never seen before
  • eb5873b2bded079ae19d5c85e0Never scanned
    never seen before
  • 7e08aba1483fc3287dec447400Never scanned
    never seen before
  • 773e5ebec57b29afe24965bf0fNever scanned
    never seen before
  • 0357375f761308fe35236255bbNever scanned
    never seen before
  • 8f791e91e71ab7edb8e4d0e7cbNever scanned
    never seen before
  • 5b856bde85b90d7025ebe67ab9Never scanned
    never seen before
  • 6d3b8114c1cb3397fde7fd4631Never scanned
    never seen before
  • 4d0874db12939dd2efb784bbc5Never scanned
    never seen before
  • a75ace99842dd6472f3dc64e03Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 9 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    104.21.58.163 · 13.107.226.70 · 172.67.161.211
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-237 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash dbba1cd1bf34… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
3,476
Hundreds of people have uploaded this — common.
Total submissions
5,958
Includes repeat uploads by the same source.
First seen by VT
2y ago
Feb 27, 2024
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
2/27/2024, 4:13:01 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/20/2026, 3:39:43 PM
Scanned here
6/28/2026, 12:02:04 AM
File name
forge-1.12.2-14.23.5.2859-installer.jar
Size
4.46 MB
MIME type
(unknown)
Detected type
JAR
SHA-256
dbba1cd1bf34a4b82148bac50a6150f63ffcb2d5dc7d88a0508c27fdcff15b76
MD5
6f430c36cb072b408756a37556974ef4
SHA-1
6b3d5be8b58d5385fda9c4d285367f4cb6e697b2
First seen (VT)
2/27/2024, 4:13:01 PM
Last analysis (VT)
6/20/2026, 3:39:43 PM
First scan (MalwareTips)
6/28/2026, 12:02:04 AM
Last scan (MalwareTips)
6/28/2026, 12:02:04 AM
Community reputation
+1trusted
Behavior tags
checks-cpu-namejardetect-debug-environmentsets-process-name
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.