» ctfmon.exe
Overview
Analysis
File Details
Behaviors (1)
Network (43)

ctfmon.exe

The executable ctfmon.exe has been detected as malware by 26 anti-virus scanners. While running, it connects to the Internet address hostby.echoromeonet.co.uk on port 8080.

File name:

ctfmon.exe

MD5:

ecef7eddd8d13d31629fe5cda6871f98

SHA-1:

03fea5598c25590dd07f8e0d8a81f354de9dc5d8

SHA-256:

d547ac7b7844a6aa28d5aab98aaaa0686b03ab003f6420c940933ebf123c469d

Scanner detections:

26 / 68

Status:

Malware

Analysis date:

4/29/2024 1:09:51 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Agent.BEOC

904

Agnitum Outpost

Trojan.Agent

7.1.1

Avira AntiVirus

TR/Agent.ahhiv

7.11.167.154

AVG

Win32/DH

2015.0.3382

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.141216

Bitdefender

Trojan.Agent.BEOC

1.0.20.1135

Comodo Security

UnclassifiedMalware

19218

Emsisoft Anti-Malware

Trojan.Agent.BEOC

8.14.08.15.08

ESET NOD32

Win64/Corkow

8.10248

Fortinet FortiGate

W32/Agent.AHHIV!tr

12/16/2014

F-Secure

Trojan.Agent.BEOC

11.2014-15-08_6

G Data

Trojan.Agent.BEOC

14.8.24

IKARUS anti.virus

Trojan.Win32.Agent

t3scan.1.7.5.0

K7 AntiVirus

Riskware

13.183.13054

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.3403

McAfee

RDN/Generic.dx!d2r

5600.6914

MicroWorld eScan

Trojan.Agent.BEOC

15.0.0.681

Norman

Agent.BEPXJ

11.20141216

nProtect

Trojan.Agent.BEOC

14.08.13.01

Panda Antivirus

Trj/Chgt.B

14.11.01.06

Qihoo 360 Security

Win32/Trojan.a90

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.12.16.22

Rising Antivirus

PE:Trojan.Win32.Generic.171F4819!387926041

23.00.65.141214

Sophos

Troj/Agent-AIIZ

4.98

Trend Micro House Call

TROJ_GEN.R0C1H07HA14

7.2.350

VIPRE Antivirus

Trojan.Win32.Generic

32176

File size:

129 KB (132,096 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\windows\ieupdate\ctfmon.exe

File PE Metadata

Compilation timestamp:

8/6/2004 6:09:13 AM

OS version:

5.2

OS bitness:

Win64

Subsystem:

Windows GUI

CTPH (ssdeep):

3072:q5GWHkECTpQNwEa2avXfEyF3nqHBHUPO/:qEyb0vXfEyF3q4O

Entry address:

0x66E8

Entry point:

48, 89, 5C, 24, 10, 48, 89, 74, 24, 18, 55, 48, 8D, AC, 24, 50, F8, FF, FF, 48, 81, EC, B0, 08, 00, 00, E8, 09, B0, FF, FF, E8, 10, F8, FF, FF, 84, C0, 0F, 84, FD, 02, 00, 00, 48, 8D, 95, 10, 06, 00, 00, B9, 02, 02, 00, 00, FF, 15, 12, 3F, 01, 00, 85, C0, 0F, 85, E3, 02, 00, 00, 48, 8D, 0D, 73, 9C, 01, 00, 33, D2, E8, 6C, 52, 00, 00, 85, C0, 0F, 84, CD, 02, 00, 00, 48, 8D, 35, E5, 99, 01, 00, 41, B8, 04, 01, 00, 00, 33, C9, 48, 8B, D6, FF, 15, B4, 3A, 01, 00, 48, 8B, CE, FF, 15, B3, 3D, 01, 00, 48, 8D, 0D... 
[+]

Entropy:

6.3986

Code size:

98 KB (100,352 bytes)

Scrnsave

Name:

ctfmon.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to vip-112.lax.adconion.com (207.171.14.112:80)

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.90:80)

TCP (HTTP):

Connects to server-54-240-160-136.iad12.r.cloudfront.net (54.240.160.136:80)

TCP (HTTP):

Connects to server-54-230-194-208.iad53.r.cloudfront.net (54.230.194.208:80)

TCP (HTTP):

Connects to server-54-230-101-161.iad2.r.cloudfront.net (54.230.101.161:80)

TCP (HTTP):

Connects to server-54-192-192-4.iad53.r.cloudfront.net (54.192.192.4:80)

TCP:

Connects to pa49-193-103-150.pa.nsw.optusnet.com.au (49.193.103.150:48754)

TCP (HTTP):

Connects to ord08s08-in-f6.1e100.net (74.125.225.102:80)

TCP (HTTP):

Connects to ord08s08-in-f27.1e100.net (74.125.225.123:80)

TCP (HTTP SSL):

Connects to ord08s06-in-f28.1e100.net (74.125.225.60:443)

TCP (HTTP):

Connects to ord08s06-in-f13.1e100.net (74.125.225.45:80)

TCP (HTTP):

Connects to network.realmedia.com (208.71.121.192:80)

TCP (HTTP):

Connects to hostby.echoromeonet.co.uk (89.144.2.20:8080)

TCP (HTTP):

Connects to float.2048.bm-impbus.prod.nym2.adnexus.net (68.67.153.163:80)

TCP (HTTP):

Connects to edge-star-shv-03-ord1.facebook.com (31.13.74.33:80)

TCP (HTTP):

Connects to edge-star-shv-03-frc1.facebook.com (69.171.247.29:80)

TCP (HTTP):

Connects to ec2-54-85-76-73.compute-1.amazonaws.com (54.85.76.73:80)

TCP (HTTP):

Connects to ec2-54-235-139-60.compute-1.amazonaws.com (54.235.139.60:80)

TCP (HTTP SSL):

Connects to ec2-54-209-177-58.compute-1.amazonaws.com (54.209.177.58:443)

TCP (HTTP):

Connects to ec2-54-204-22-142.compute-1.amazonaws.com (54.204.22.142:80)

Remove ctfmon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.