ctfmon.exe

The executable ctfmon.exe has been detected as malware by 29 anti-virus scanners. While running, it connects to the Internet address hostby.echoromeonet.co.uk on port 8080.
MD5:
ecef7eddd8d13d31629fe5cda6871f98

SHA-1:
03fea5598c25590dd07f8e0d8a81f354de9dc5d8

SHA-256:
d547ac7b7844a6aa28d5aab98aaaa0686b03ab003f6420c940933ebf123c469d

Scanner detections:
29 / 68

Status:
Malware

Analysis date:
11/25/2017 8:56:14 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Agent.BEOC
904

Agnitum Outpost
Trojan.Agent
7.1.1

Avira AntiVirus
TR/Agent.ahhiv
7.11.167.154

Antiy Labs AVL
Trojan/Win32.Agent
1.0.0.1

AVG
Win32/DH
2015.0.3382

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.141216

Bitdefender
Trojan.Agent.BEOC
1.0.20.1135

Comodo Security
UnclassifiedMalware
19218

Emsisoft Anti-Malware
Trojan.Agent.BEOC
8.14.08.15.08

ESET NOD32
Win64/Corkow
8.10248

Fortinet FortiGate
W32/Agent.AHHIV!tr
12/16/2014

F-Secure
Trojan.Agent.BEOC
11.2014-15-08_6

G Data
Trojan.Agent.BEOC
14.8.24

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.7.5.0

K7 AntiVirus
Riskware
13.183.13054

K7 Gateway Antivirus
Riskware
13.183.13043

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3403

McAfee
RDN/Generic.dx!d2r
5600.6914

McAfee Web Gateway
RDN/Generic.dx!d2r
7.6914

MicroWorld eScan
Trojan.Agent.BEOC
15.0.0.681

Norman
Agent.BEPXJ
11.20141216

nProtect
Trojan.Agent.BEOC
14.08.13.01

Panda Antivirus
Trj/Chgt.B
14.11.01.06

Qihoo 360 Security
Win32/Trojan.a90
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.12.16.22

Rising Antivirus
PE:Trojan.Win32.Generic.171F4819!387926041
23.00.65.141214

Sophos
Troj/Agent-AIIZ
4.98

Trend Micro House Call
TROJ_GEN.R0C1H07HA14
7.2.350

VIPRE Antivirus
Trojan.Win32.Generic
32176

File size:
129 KB (132,096 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\roaming\microsoft\windows\ieupdate\ctfmon.exe

File PE Metadata
Compilation timestamp:
8/6/2004 6:09:13 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

CTPH (ssdeep):
3072:q5GWHkECTpQNwEa2avXfEyF3nqHBHUPO/:qEyb0vXfEyF3q4O

Entry address:
0x66E8

Entry point:
48, 89, 5C, 24, 10, 48, 89, 74, 24, 18, 55, 48, 8D, AC, 24, 50, F8, FF, FF, 48, 81, EC, B0, 08, 00, 00, E8, 09, B0, FF, FF, E8, 10, F8, FF, FF, 84, C0, 0F, 84, FD, 02, 00, 00, 48, 8D, 95, 10, 06, 00, 00, B9, 02, 02, 00, 00, FF, 15, 12, 3F, 01, 00, 85, C0, 0F, 85, E3, 02, 00, 00, 48, 8D, 0D, 73, 9C, 01, 00, 33, D2, E8, 6C, 52, 00, 00, 85, C0, 0F, 84, CD, 02, 00, 00, 48, 8D, 35, E5, 99, 01, 00, 41, B8, 04, 01, 00, 00, 33, C9, 48, 8B, D6, FF, 15, B4, 3A, 01, 00, 48, 8B, CE, FF, 15, B3, 3D, 01, 00, 48, 8D, 0D...
 
[+]

Entropy:
6.3986

Code size:
98 KB (100,352 bytes)

Scrnsave
Name:
ctfmon.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vip-112.lax.adconion.com  (207.171.14.112:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to server-54-240-160-136.iad12.r.cloudfront.net  (54.240.160.136:80)

TCP (HTTP):
Connects to server-54-230-194-208.iad53.r.cloudfront.net  (54.230.194.208:80)

TCP (HTTP):
Connects to server-54-230-101-161.iad2.r.cloudfront.net  (54.230.101.161:80)

TCP (HTTP):
Connects to server-54-192-192-4.iad53.r.cloudfront.net  (54.192.192.4:80)

TCP:
Connects to pa49-193-103-150.pa.nsw.optusnet.com.au  (49.193.103.150:48754)

TCP (HTTP):
Connects to ord08s08-in-f6.1e100.net  (74.125.225.102:80)

TCP (HTTP):
Connects to ord08s08-in-f27.1e100.net  (74.125.225.123:80)

TCP (HTTP SSL):
Connects to ord08s06-in-f28.1e100.net  (74.125.225.60:443)

TCP (HTTP):
Connects to ord08s06-in-f13.1e100.net  (74.125.225.45:80)

TCP (HTTP):
Connects to network.realmedia.com  (208.71.121.192:80)

TCP (HTTP):
Connects to hostby.echoromeonet.co.uk  (89.144.2.20:8080)

TCP (HTTP):
Connects to float.2048.bm-impbus.prod.nym2.adnexus.net  (68.67.153.163:80)

TCP (HTTP):
Connects to edge-star-shv-03-ord1.facebook.com  (31.13.74.33:80)

TCP (HTTP):
Connects to edge-star-shv-03-frc1.facebook.com  (69.171.247.29:80)

TCP (HTTP):
Connects to ec2-54-85-76-73.compute-1.amazonaws.com  (54.85.76.73:80)

TCP (HTTP):
Connects to ec2-54-235-139-60.compute-1.amazonaws.com  (54.235.139.60:80)

TCP (HTTP SSL):
Connects to ec2-54-209-177-58.compute-1.amazonaws.com  (54.209.177.58:443)

TCP (HTTP):
Connects to ec2-54-204-22-142.compute-1.amazonaws.com  (54.204.22.142:80)

Remove ctfmon.exe - Powered by Reason Core Security