File name:

CTF Loader.exe

Full analysis: https://app.any.run/tasks/2890e609-7f0c-400f-ae59-c67f7df3818d
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: January 14, 2024, 06:58:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
rat
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

213BC04533BD88FA7D7E4C347B494D39

SHA1:

8C0A668613D1CA3730FBB8B1A863ED22F2CDFCFB

SHA256:

CBD3C58617C3710AB3BBCCCDF6D3AB743149DBC983F6B93EB060ABD56CB55BD4

SSDEEP:

12288:nNFaXUoYRm6FmHY6X4oPeADJM01l4fZwutx3lF28zWL:nbGUoqZqY+zPeADiOl4RwuT1F5yL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Uses Task Scheduler to run other applications

      • CTF Loader.exe (PID: 316)

    • NANOCORE has been detected (YARA)

      • CTF Loader.exe (PID: 316)

    • NANOCORE has been detected (SURICATA)

      • CTF Loader.exe (PID: 316)

    • Connects to the CnC server

      • CTF Loader.exe (PID: 316)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Reads the Internet Settings

      • CTF Loader.exe (PID: 124)

    • Application launched itself

      • CTF Loader.exe (PID: 124)

    • Connects to unusual port

      • CTF Loader.exe (PID: 316)

  • INFO

    • Creates files or folders in the user directory

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Checks supported languages

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Process checks whether UAC notifications are on

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Create files in a temporary directory

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Reads the computer name

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Reads the machine GUID from the registry

      • CTF Loader.exe (PID: 124)
      • CTF Loader.exe (PID: 316)

    • Creates files in the program directory

      • CTF Loader.exe (PID: 316)

    • Reads Environment values

      • CTF Loader.exe (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(316) CTF Loader.exe
KeyboardLoggingTrue
BuildTime2024-01-11 17:49:58.661672
Version1.2.2.0
Mutexc9aea832-64b3-4a54-a5dc-b3531f614eff
DefaultGroupDefault
PrimaryConnectionHost147.185.221.17
BackupConnectionHost147.185.221.17
ConnectionPort62984
RunOnStartupTrue
RequestElevationTrue
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessTrue
PreventSystemSleepTrue
ActivateAwayModeTrue
EnableDebugModeTrue
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:22 01:49:37+01:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116736
InitializedDataSize: 449024
UninitializedDataSize: -
EntryPoint: 0x1e792
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ctf loader.exe #NANOCORE ctf loader.exe schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\CTF Loader.exe" C:\Users\admin\AppData\Local\Temp\CTF Loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ctf loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
316"C:\Users\admin\AppData\Local\Temp\CTF Loader.exe" C:\Users\admin\AppData\Local\Temp\CTF Loader.exe
CTF Loader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ctf loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Nanocore
(PID) Process(316) CTF Loader.exe
KeyboardLoggingTrue
BuildTime2024-01-11 17:49:58.661672
Version1.2.2.0
Mutexc9aea832-64b3-4a54-a5dc-b3531f614eff
DefaultGroupDefault
PrimaryConnectionHost147.185.221.17
BackupConnectionHost147.185.221.17
ConnectionPort62984
RunOnStartupTrue
RequestElevationTrue
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessTrue
PreventSystemSleepTrue
ActivateAwayModeTrue
EnableDebugModeTrue
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
572"schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\admin\AppData\Local\Temp\tmpFEC3.tmp"C:\Windows\System32\schtasks.exeCTF Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1236"schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\admin\AppData\Local\Temp\tmpFF41.tmp"C:\Windows\System32\schtasks.exeCTF Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
1 310
Read events
1 301
Write events
8
Delete events
1

Modification events

(PID) Process:(124) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(124) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(124) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(124) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(316) CTF Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:TCP Monitor
Value:
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
Executable files
2
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
316CTF Loader.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\task.dattext
MD5:F92631D0BCBA68E58D2F2A93C4D0C5A9
SHA256:BF0A1ED5915F32EFCBB4729B7D7F7A66080D9B3E8BE16DA46581E9E68E0A0481
124CTF Loader.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:71410FA43DD4F8658FF8AC6FC59CA747
SHA256:9FF77BDFD43E3557CF67DE4900CD986BBBA6ACE12B9EAC9F35D797D11CEE808B
316CTF Loader.exeC:\Program Files\TCP Monitor\tcpmon.exeexecutable
MD5:213BC04533BD88FA7D7E4C347B494D39
SHA256:CBD3C58617C3710AB3BBCCCDF6D3AB743149DBC983F6B93EB060ABD56CB55BD4
124CTF Loader.exeC:\Users\admin\AppData\Local\Temp\client.logtext
MD5:C4CF7EE3ED3E184A92F7AA9152F99F4B
SHA256:020A0ABF1AC3875FF17711B49982B10E01E8457FA4B7BBAEB6F747B2D1AA3C98
316CTF Loader.exeC:\Users\admin\AppData\Local\Temp\tmpFEC3.tmpxml
MD5:C11B8AB5A526E3276A7B1B6F44FF1870
SHA256:6084DE114BE6092687275F66D0FD56CF7EF49ACA15A80F2B49DB62C0D2B1F145
124CTF Loader.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:213BC04533BD88FA7D7E4C347B494D39
SHA256:CBD3C58617C3710AB3BBCCCDF6D3AB743149DBC983F6B93EB060ABD56CB55BD4
316CTF Loader.exeC:\Users\admin\AppData\Local\Temp\tmpFF41.tmpxml
MD5:E4118E3EC98934AA1D4235C87B44AA31
SHA256:EFC475D73603DF6A26978D7BCAC27004830137E97FDD1656140B4A08C07470D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
0
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
316
CTF Loader.exe
147.185.221.17:62984
PLAYIT-GG
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
316
CTF Loader.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CTF Loader.exe