Analysis Report ctfmon.exe
Overview
General Information
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice |
---|
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
|
Malware Configuration |
---|
No configs have been found |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Command and Scripting Interpreter2 | DLL Side-Loading1 | Process Injection1 | Process Injection1 | OS Credential Dumping | System Information Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | DLL Side-Loading1 | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
0% | Metadefender | Browse | ||
14% | ReversingLabs | Win32.Trojan.NetSupportManager |
No Antivirus matches |
---|
No Antivirus matches |
---|
No Antivirus matches |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
No contacted domains info |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 411189 |
Start date: | 11.05.2021 |
Start time: | 17:45:20 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ctfmon.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Cmdline fuzzy |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean3.winEXE@3/0@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
No simulations |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.950187105195601 |
TrID: |
|
File name: | ctfmon.exe |
File size: | 112176 |
MD5: | 252dce576f9fbb9aaa7114dd7150f320 |
SHA1: | c07f0a02c284b697dff119839f455836be39d10e |
SHA256: | b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad |
SHA512: | 17255a8255b152edf896b4eb1719a2c52dbfed38887aa79b02fe54fcefca45c5089ed6340b8251fea1cf031b7c016328bd88741a066fa138ca7b722cf970b06b |
SSDEEP: | 768:c5VZl6FhWr80/0fyXt/cfdtVJvriXiRzi:c90hG8f8dcFPVWXiI |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.g.W.g.W.g.^...U.g.8...T.g.W.f.R.g.8...V.g.8...V.g.8...V.g.RichW.g.........PE..L......^.....................r...... ...... |
File Icon |
---|
Icon Hash: | 050d124130a1c151 |
General | |
---|---|
Entrypoint: | 0x401020 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5E2EEEBC [Mon Jan 27 14:07:56 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | a9d50692e95b79723f3e76fcf70d023e |
Signature Valid: | true |
Signature Issuer: | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 3D34EA0E8E4C65FC7C8599BE3ACDE072 |
Thumbprint SHA-1: | F84EC9488BDAC5F90DB3C474B55E31A8F10A2026 |
Thumbprint SHA-256: | FCD6A7E626908DC8E5D3CE6FC9350EC099C42FB1AD1231A75208B54754985089 |
Serial: | 79906FAF4FBD75BAA10B322356A07F6D |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 44h |
push esi |
call dword ptr [00402000h] |
mov esi, eax |
cmp word ptr [esi], 0022h |
jne 00007FFAC49C581Dh |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
je 00007FFAC49C57B4h |
cmp ax, 0022h |
je 00007FFAC49C57B4h |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
jne 00007FFAC49C5790h |
cmp word ptr [esi], 0022h |
jne 00007FFAC49C57A5h |
add esi, 02h |
movzx eax, word ptr [esi] |
test ax, ax |
je 00007FFAC49C57B4h |
cmp ax, 0020h |
jnbe 00007FFAC49C57AEh |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
jne 00007FFAC49C5790h |
lea eax, dword ptr [ebp-44h] |
push eax |
mov dword ptr [ebp-18h], 00000000h |
call dword ptr [0040200Ch] |
test byte ptr [ebp-18h], 00000001h |
movzx eax, word ptr [ebp-14h] |
jne 00007FFAC49C57A7h |
mov eax, 0000000Ah |
push eax |
push esi |
push 00000000h |
push 00000000h |
call dword ptr [00402008h] |
push eax |
call 00007FFAC49C56FDh |
push eax |
call dword ptr [00402004h] |
nop |
cmp word ptr [esi], 0020h |
jbe 00007FFAC49C5748h |
add esi, 02h |
jmp 00007FFAC49C5797h |
int3 |
jmp dword ptr [00402014h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x203c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3000 | 0x16c08 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x17800 | 0x3e30 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a000 | 0x14 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2020 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xc2 | 0x200 | False | 0.318359375 | data | 2.77998506607 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x15e | 0x200 | False | 0.46484375 | data | 3.50726381565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x3000 | 0x16c08 | 0x16e00 | False | 0.106034409153 | data | 4.13266450046 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1a000 | 0x6c | 0x200 | False | 0.060546875 | data | 0.221676205458 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x32c8 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x3b70 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x40d8 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4281761986, next used block 4281761986 | ||
RT_ICON | 0x14900 | 0x25a8 | data | ||
RT_ICON | 0x16ea8 | 0x10a8 | data | ||
RT_ICON | 0x17f50 | 0x988 | data | ||
RT_ICON | 0x188d8 | 0x6b8 | data | ||
RT_ICON | 0x18f90 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_STRING | 0x193f8 | 0x62 | data | ||
RT_GROUP_ICON | 0x1945c | 0x76 | data | ||
RT_VERSION | 0x194d4 | 0x3ac | data | ||
RT_MANIFEST | 0x19880 | 0x385 | XML 1.0 document, ASCII text, with CRLF line terminators |
DLL | Import |
---|---|
PCICL32.dll | _NSMClient32@8 |
KERNEL32.dll | GetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW |
Description | Data |
---|---|
LegalCopyright | Copyright (c) 2020, NetSupport Ltd |
InternalName | client32 |
FileVersion | V12.80 |
CompanyName | NetSupport Ltd |
PrivateBuild | V12.80 |
LegalTrademarks | |
Comments | |
ProductName | NetSupport Remote Control |
SpecialBuild | |
ProductVersion | V12.80 |
FileDescription | NetSupport Client Application |
OriginalFilename | client32.exe |
Translation | 0x0809 0x04b0 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
Start time: | 17:47:04 |
Start date: | 11/05/2021 |
Path: | C:\Users\user\Desktop\ctfmon.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 112176 bytes |
MD5 hash: | 252DCE576F9FBB9AAA7114DD7150F320 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
File Activities
Section Activities
Registry Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Start time: | 17:47:07 |
Start date: | 11/05/2021 |
Path: | C:\Users\user\Desktop\ctfmon.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 112176 bytes |
MD5 hash: | 252DCE576F9FBB9AAA7114DD7150F320 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
File Activities
Section Activities
Registry Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Start time: | 17:47:09 |
Start date: | 11/05/2021 |
Path: | C:\Users\user\Desktop\ctfmon.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 112176 bytes |
MD5 hash: | 252DCE576F9FBB9AAA7114DD7150F320 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
File Activities
Section Activities
Registry Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |