ftp.exe

  • File Path: C:\windows\SysWOW64\ftp.exe
  • Description: File Transfer Program

Hashes

Type Hash
MD5 378AB44C0CFEC574F0AC5DE6DF3A587C
SHA1 52F5C2A192799ECF70A6BD7A7383852F4D698A66
SHA256 736BFFD8C2EE02CD432004BBC539CA48BD664F17887B85B4DCA51D0A9EA3251F
SHA384 638A3BD8428C7537C64E38922BDA9C6CBF87F9C2842C49767D9ECFAF71AE17B744090A6DBD0DBCC0785BB17936021BEB
SHA512 67544C897FFCDEB12EF436CBC27F8116C8F8FF2A9BBEFE26BEE0DB32AEA7702E2ADA50837F6EC39B30E397EF644EFF44BE8BCE1213F93B64783C7652E739AB28
SSDEEP 768:5uchzUdgNq3Rq7m5njFJlR/lmxEchdqsYAGrosn3sHJiC38uzvGYgKPFR:5uchzUF3R7F9oMBFy38uzv1F

Signature

  • Status: The file C:\windows\SysWOW64\ftp.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: ftp.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of ftp.exe being misused. While ftp.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_ftp.yml title: Suspicious ftp.exe DRL 1.0
sigma proc_creation_win_susp_ftp.yml description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe DRL 1.0
sigma proc_creation_win_susp_ftp.yml Image\|endswith: 'ftp.exe' DRL 1.0
sigma proc_creation_win_susp_ftp.yml OriginalFileName\|contains: 'ftp.exe' DRL 1.0
sigma proc_creation_win_susp_ftp.yml ParentImage\|endswith: 'ftp.exe' DRL 1.0
LOLBAS Ftp.yml Name: Ftp.exe  
LOLBAS Ftp.yml Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand  
LOLBAS Ftp.yml Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.  
LOLBAS Ftp.yml - Path: C:\Windows\System32\ftp.exe  
LOLBAS Ftp.yml - Path: C:\Windows\SysWOW64\ftp.exe  
LOLBAS Ftp.yml - IOC: cmd /c as child process of ftp.exe  

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


ftp

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Transfers files to and from a computer running a File Transfer Protocol (ftp) server service. This command can be used interactively or in batch mode by processing ASCII text files.

Syntax

ftp [-v] [-d] [-i] [-n] [-g] [-s:<filename>] [-a] [-A] [-x:<sendbuffer>] [-r:<recvbuffer>] [-b:<asyncbuffers>][-w:<windowssize>][<host>] [-?]

Parameters

Parameter Description
-v Suppresses display of remote server responses.
-d Enables debugging, displaying all commands passed between the FTP client and FTP server.
-i Disables interactive prompting during multiple file transfers.
-n Suppresses auto-login upon initial connection.
-g Disables file name globbing. Glob permits the use of the asterisk (*) and question mark (?) as wildcard characters in local file and path names.
-s:<filename> Specifies a text file that contains ftp commands. These commands run automatically after ftp starts. This parameter allows no spaces. Use this parameter instead of redirection (<). Note: In Windows 8 and Windows Server 2012 or later operating systems, the text file must be written in UTF-8.
-a Specifies that any local interface can be used when binding the ftp data connection.
-A Logs onto the ftp server as anonymous.
-x:<sendbuffer> Overrides the default SO_SNDBUF size of 8192.
-r:<recvbuffer> Overrides the default SO_RCVBUF size of 8192.
-b:<asyncbuffers> Overrides the default async buffer count of 3.
-w:<windowssize> Specifies the size of the transfer buffer. The default window size is 4096 bytes.
<host> Specifies the computer name, IP address, or IPv6 address of the ftp server to which to connect. The host name or address, if specified, must be the last parameter on the line.
-? Displays help at the command prompt.
Remarks
  • The ftp command-line parameters are case-sensitive.

  • This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

  • The ftp command can be used interactively. After it is started, ftp creates a sub-environment in which you can use ftp commands. You can return to the command prompt by typing the quit command. When the ftp sub-environment is running, it is indicated by the ftp > command prompt. For more information, see the ftp commands.

  • The ftp command supports the use of IPv6 when the IPv6 protocol is installed.

Examples

To log on to the ftp server named ftp.example.microsoft.com, type:

ftp ftp.example.microsoft.com

To log on to the ftp server named ftp.example.microsoft.com and run the ftp commands contained in a file named resync.txt, type:

ftp -s:resync.txt ftp.example.microsoft.com

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.