Ctfmonduo_loader[.]zip

Resubmissions

18/05/2023, 17:35

230518-v53kjadb84 7

18/05/2023, 17:27

230518-v1fj7sca8v 7

Sharing

Copy URL Twitter E-mail

General

Target

Ctfmonduo_loader.zip
Size

12.5MB
MD5

0e1546334a0e1dce4e5d9cd21bd7fadc
SHA1

ae9115cab36b26573c69d33652c7d966814a3add
SHA256

ceb5844d890809be4c26d4521cbe3c659da0ed3694b0ba6bdd4aeb50560a1450
SHA512

458d9f758a6b268fff93b15fa0812d781c767fb3b535fa134fa781a9d2cbce899e0c2bb4f5b8d6b4f9f620f3c8deacc3e1ca16a8489824e4a21bbd4636ea28d7
SSDEEP

196608:LSYa2C7VMLUkCzp7f5M1XKaz4+WUqZQARl5FBbhfESgvmsmTmnNWwEY2R7rq7I:LJad7IvchUqZ/l5h7gvmvTmnNxF29rh

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/CtfmonDuo.dll	vmprotect

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/CtfmonDuo.dll
unpack001/load.exe

Files

Ctfmonduo_loader.zip
.zip
CtfmonDuo.dll
.dll windows x86

526a005ae2a3943b3c9abec0dccb8909

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

winspool.drv

DocumentPropertiesW

comctl32

ImageList_GetImageInfo

shell32

ExtractIconW

user32

CopyImage
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

version

GetFileVersionInfoSizeW

oleaut32

SysFreeString

advapi32

RegSetValueExW

netapi32

NetWkstaGetInfo

msvcrt

memcpy

kernel32

GetVersion
GetVersionExW
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

wsock32

gethostbyaddr

ole32

OleRegEnumVerbs

gdi32

AddFontMemResourceEx

magnification

MagSetWindowSource

wtsapi32

WTSSendMessageW

Exports

Exports

SHGetFldPath
TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr
��;��ڭ��OL:Ajv�voa�'(vqחG��-�|bO�y�E��t��ח��)�o)�;�}E}��(�濼� ( <l��:�A��,]a��B�H,;�ƍ+{I��~0��@^�LŬX��S!�2]G�%�x;_t��W�s��7l��{��y�Blxjq"m �Wy��L�:�ۀj��$`v�}4L��!��=ω�4��G�JWR��C�nۦW��3W{H�5:Eȥ��l@F��hj�/!��4��"�Y�~ ~p9��+�V�-��^�c�h2��&a�@tֶ0#��5V�;� ��ŋUk��/ktXO�� s�H��W~-q��= ��)�̀��'ܡK�巾-��ky;�8ށ�l��C��a�n)r��*B[h��<��?�8��µ�`�"h�>"�rC:��:�F2Y��J[�� F*jq�4��?��yC�߄y*��Ȕ_�H2�l�ю�l<R��x��v.:�Ӿ>[Z�K�T��X�YH��$-�)cH�SSZ�DS�p��*��c&��{ W�Y&�7�LӄF7f��c�n�rȘ��Թ��*��[1�z}��~r�}��Y/�Yt��u7pD�_xw�^��ޣŎ_��,.9�d_��Lp�C��21S�J_��"��mN�T�8��h�p41�&�7��M��\Yˁ��b&�:��o�)HP��cvb%��|޺��4ѐ�XG�4��a�E��y�{Th��&��#KD��trͼ��E��B��2+��'A��B�c��f��m�Yj��5*� 7�v�H��E4��"�ǵt�+j��Ҫ�ǣ�,TÞ��s��P�M;��O�.v"�u�Qe8�婹*�E��Yb�{!��k1�'��0��-V�s:��_*U�c��!3�+E��$4p~��(��{�+�g��M3�#p!�i�[,��G��_l�)�%ΐ/f��>>��T�=�lW�]�Fq�^�>~zYׇG��6k�A@FҬy�@��8��sX��%<�?{PR3��O�@kO�#}�H!Lv\�e��`��eֻ͛��Xջ�� bd�Q�;g��8�X�xp/�$�Ó;�;�� 5>{- ��$㼶��˪[�^OĔ;�A�L�Iwo�=�&_��0JMp�V`�z�]��H�X�N�6��G��f��B��Q�U��9��5�W8��X(-�\��/��h��+�� !��CW��j�B��3M[�n�a��sj�g:ob�_Y!J��Wb��4 O�� :��H�z�IJ�d��l��X��Q��T M�O��&E3�_*�%Z�7#��5[��7(�1�]�"��-L�fN�ԉ9D�H4�t��GT@�|+��8�m5��Y��a��Bn��A�"�|��,�\��Qd�U�L�� :Nvi��鑘lDA�zް��L�uN��2@��D�×�H�p�/�ѝ��Zؽ\ga��Rq��nwh%��J��̓��0D�iR"}��3'��#$$nca|��+�8S��kuU|�&P7�l��!)�+l��G��a?x��D�J��qm$y��B�<��G�dߧ�V|��K6>��􀶹�C�.�̃�<ڀ��ؠX&��Hs�I��w�I�n�X5$SThmMA��[��D* �u� �6�M�<��}��R��/t�W*�* 1�Pi|M�ɛ��}ۄ�,��h��W��1��H6Էu$1N��k�[X��#} 6x"�t0K��Fq%�ʫ��)��f#�C�� T�EGP��-��=�.��z��]Q��⟣ ̕Si�9 ��>��O�4�&�K�AK�x �� 5��G�α�^�yb��z%;��-p^^س�#1�6��2��:ޓp�e>Xup\I`�a�$\�"9<� �� d�8��ϕ~e�o��/��w1��EFﵗ�쮨q�`��x]qEG��Ņ+��|�e�v\�L��|,��Iq��R�]$��X�w<H?I_Ft�C�û��;αc��h��MB7.ޱM��-�-S��z�(ֹ��L@q�F�9_Un��}�Mz��%��h&�4��O�9y8ۄ�R��(�Um��q��oh�m��GN�4 �)�A�}Ln��IM�ȓ0ʮ$�mo_iͩ2�� C_Ip<��ԑ�G+DJ� �� )߮$��?��7>Pv�?�O4A��> �P�$[�;�tqo�sZ�r�}�K��:��.-��U..z��k,h�zͲ�Lu�@D�=wڂ�*��|407�Q)~�8��K�"�'�8S��켴��z^��V�r��ޝ��K��F�4�=��8<��0�3�gnq�4�%zg�L��:�6%[��n!��}}\�<�z�jB��L��;{�Ï�|a��eoAKr-�"��6x��ɣ1��:Gn%K��Yd�:�No�0V��򊣁T��L1,� ^ɳ��'�㧠"eܥ �vJ��[v�O3 h�{ʵ� �d��q�ߗ-��c��:.ዴ52%�'v�r��꽝��<��+�Ig_��^)~ę�q�!�ﰥ�ٵ�cۘǸp9��G�_6d;cD7ꉞ�캃|�P�^��X6w���Nrz��I��k]�P()K��<jyb~hG��̉(I:�iU��p@��%IM26��D/^4�-߈�m��ڪ��H!�4�'Eʦ��y��$�Ǵ�|�Ѵ �3��A ��}��X:�{�� h;f�fA��=|rjH��d4�7�]��/bWF]�U,4��ݏ��Ÿ"8��1m1��Ÿc�J$a�X PE�h��>|�=k��yC��9l�2�vđ��o��O�� s? _�k9sO��r�š��.U�

Sections

.text
Size: - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 32KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 178B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 14.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 12.7MB - Virtual size: 12.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
load.exe
.exe windows x86

6515c5f37f49bb18c60d22d9ca71195c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery

msvcrt

__getmainargs
__initenv
__lconv_init
__p__acmdln
__p__fmode
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_initterm
_iob
_onexit
abort
calloc
exit
fprintf
free
fwrite
malloc
memcpy
signal
strlen
strncmp
vfprintf

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 1000B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

/4
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/31
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/45
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/57
Size: 512B - Virtual size: 260B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/70
Size: 1024B - Virtual size: 746B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/81
Size: 1024B - Virtual size: 786B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/92
Size: 512B - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

526a005ae2a3943b3c9abec0dccb8909

Headers

DLL Characteristics

File Characteristics

Imports

winspool.drv

comctl32

shell32

user32

version

oleaut32

advapi32

netapi32

msvcrt

kernel32

wsock32

ole32

gdi32

magnification

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 4.2MB

.itext Size: - Virtual size: 19KB

.data Size: - Virtual size: 79KB

.bss Size: - Virtual size: 32KB

.idata Size: - Virtual size: 15KB

.didata Size: - Virtual size: 3KB

.edata Size: - Virtual size: 178B

.rdata Size: - Virtual size: 69B

.vmp0 Size: - Virtual size: 14.3MB

.vmp1 Size: 12.7MB - Virtual size: 12.7MB

.reloc Size: 1KB - Virtual size: 1KB

6515c5f37f49bb18c60d22d9ca71195c

Headers

File Characteristics

Imports

kernel32

msvcrt

Sections

.text Size: 5KB - Virtual size: 5KB

.data Size: 512B - Virtual size: 48B

.rdata Size: 1KB - Virtual size: 1KB

.bss Size: - Virtual size: 1000B

.idata Size: 1KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 8B

/4 Size: 512B - Virtual size: 32B

/19 Size: 29KB - Virtual size: 28KB

/31 Size: 1KB - Virtual size: 1KB

/45 Size: 2KB - Virtual size: 1KB

/57 Size: 512B - Virtual size: 260B

/70 Size: 1024B - Virtual size: 746B

/81 Size: 1024B - Virtual size: 786B

/92 Size: 512B - Virtual size: 136B

.text
Size: - Virtual size: 4.2MB

.itext
Size: - Virtual size: 19KB

.data
Size: - Virtual size: 79KB

.bss
Size: - Virtual size: 32KB

.idata
Size: - Virtual size: 15KB

.didata
Size: - Virtual size: 3KB

.edata
Size: - Virtual size: 178B

.rdata
Size: - Virtual size: 69B

.vmp0
Size: - Virtual size: 14.3MB

.vmp1
Size: 12.7MB - Virtual size: 12.7MB

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 5KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 48B

.rdata
Size: 1KB - Virtual size: 1KB

.bss
Size: - Virtual size: 1000B

.idata
Size: 1KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 8B

/4
Size: 512B - Virtual size: 32B

/19
Size: 29KB - Virtual size: 28KB

/31
Size: 1KB - Virtual size: 1KB

/45
Size: 2KB - Virtual size: 1KB

/57
Size: 512B - Virtual size: 260B

/70
Size: 1024B - Virtual size: 746B

/81
Size: 1024B - Virtual size: 786B

/92
Size: 512B - Virtual size: 136B