File name:

CTF Loader.exe

Full analysis: https://app.any.run/tasks/d2f86224-7f8e-4c63-8e13-72ae405cbd6a
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: January 11, 2024, 17:41:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
quasar
rat
njrat
bladabindi
remote
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
MD5:

23ED15BB0BAEAAF3E9A925413994FEEC

SHA1:

C48F6F525764861192143C42CDB095FC1517BF42

SHA256:

3BEDDFC75B1BA6B5E1FC4931E3EEE5ABEF440CA0672BEE00D500F743F81FE8A6

SSDEEP:

12288:z4pttMUu+M3tydHQeSqAAKU8wxFmgHNVpvF0Pc3:zEteUu+M3AdHQpqRKUdbmgHNbF0Pc3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • CTF Loader.exe (PID: 2064)

    • Changes the autorun value in the registry

      • CTF Loader.exe (PID: 2064)

    • QUASAR has been detected (YARA)

      • CTF Loader.exe (PID: 2064)

  • SUSPICIOUS

    • Reads the Internet Settings

      • CTF Loader.exe (PID: 2064)
      • CTF Loader.exe (PID: 2044)

  • INFO

    • Reads the computer name

      • CTF Loader.exe (PID: 2044)
      • CTF Loader.exe (PID: 2064)

    • Checks supported languages

      • CTF Loader.exe (PID: 2064)
      • CTF Loader.exe (PID: 2044)

    • Drops the executable file immediately after the start

      • CTF Loader.exe (PID: 2044)

    • Starts itself from another location

      • CTF Loader.exe (PID: 2044)

    • Reads Environment values

      • CTF Loader.exe (PID: 2044)
      • CTF Loader.exe (PID: 2064)

    • Reads the machine GUID from the registry

      • CTF Loader.exe (PID: 2044)
      • CTF Loader.exe (PID: 2064)

    • Creates files or folders in the user directory

      • CTF Loader.exe (PID: 2044)
      • CTF Loader.exe (PID: 2064)

    • Checks for external IP

      • CTF Loader.exe (PID: 2044)
      • CTF Loader.exe (PID: 2064)

    • Connects to unusual port

      • CTF Loader.exe (PID: 2064)

    • Connects to the CnC server

      • CTF Loader.exe (PID: 2064)

    • NJRAT has been detected (SURICATA)

      • CTF Loader.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:12:09 19:58:13+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 4096
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x2e5e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.3.0.0
InternalName: Client.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: -
ProductVersion: 1.3.0.0
AssemblyVersion: 1.3.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ctf loader.exe #QUASAR ctf loader.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\admin\AppData\Roaming\SubDir\CTF Loader.exe" /sc MINUTE /MO 1C:\Windows\System32\schtasks.exeCTF Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2044"C:\Users\admin\AppData\Local\Temp\CTF Loader.exe" C:\Users\admin\AppData\Local\Temp\CTF Loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ctf loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2064"C:\Users\admin\AppData\Roaming\SubDir\CTF Loader.exe"C:\Users\admin\AppData\Roaming\SubDir\CTF Loader.exe
CTF Loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\roaming\subdir\ctf loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 075
Read events
1 066
Write events
9
Delete events
0

Modification events

(PID) Process:(2064) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CTF Loader
Value:
"C:\Users\admin\AppData\Local\Temp\CTF Loader.exe"
(PID) Process:(2064) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2064) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2064) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2064) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044CTF Loader.exeC:\Users\admin\AppData\Roaming\SubDir\CTF Loader.exeexecutable
MD5:23ED15BB0BAEAAF3E9A925413994FEEC
SHA256:3BEDDFC75B1BA6B5E1FC4931E3EEE5ABEF440CA0672BEE00D500F743F81FE8A6
2064CTF Loader.exeC:\Users\admin\AppData\Roaming\Logs\01-11-2024binary
MD5:85F40F13ED5840DA5455EF7ABE05D645
SHA256:71968AA648CAF9E8A0DD7A9A23785780366A372CC76BFEDC38D57887EA7AA2DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
1
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
CTF Loader.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
287 b
unknown
2064
CTF Loader.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
287 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2044
CTF Loader.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2064
CTF Loader.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2064
CTF Loader.exe
147.185.221.17:62984
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
2044
CTF Loader.exe
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
2044
CTF Loader.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2044
CTF Loader.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2064
CTF Loader.exe
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
2064
CTF Loader.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2064
CTF Loader.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2064
CTF Loader.exe
Malware Command and Control Activity Detected
ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)
2064
CTF Loader.exe
Malware Command and Control Activity Detected
ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)
2064
CTF Loader.exe
Malware Command and Control Activity Detected
ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)
2064
CTF Loader.exe
Malware Command and Control Activity Detected
ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CTF Loader.exe