Malware

What is “Win32/Injector.CTIO”?

Malware Removal

The Win32/Injector.CTIO is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Win32/Injector.CTIO virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Created a process from a suspicious location
  • Installs itself for autorun at Windows startup
  • CAPE detected the NetWire malware family
  • Creates a copy of itself
  • Anomalous binary characteristics

How to determine Win32/Injector.CTIO?


File Info:

name: DC99A05AE75E27B1672F.mlw
path: /opt/CAPEv2/storage/binaries/b33c399666d2d0e262bcc85fd81cdfb0ae347398b33891ad4e8103126f7240d3
crc32: 4301CDB0
md5: dc99a05ae75e27b1672f5d4597653230
sha1: ad35de263fc2d69b877e896135e99bb9b09b9830
sha256: b33c399666d2d0e262bcc85fd81cdfb0ae347398b33891ad4e8103126f7240d3
sha512: d86045ea07db7066cc047af6064d1cfe18372c8afdb1d81fc96b9ae41c4ac4cb5d19d26fe2ea42f751a7874ed57995c3b90032e1f66b8f66392df3fa06051265
ssdeep: 3072:skjO9B/hsalrSrMBxXoHTMEwuZTuXgJRZ8:m9phsauiCnTuXCm
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1C9E37C3352689730C6558F7BD97180D00C226F647A340E0F63EAF73A2A76E2AD566737
sha3_384: 7607aa342cc4c8b7865f3ebd586356ee0026a5988c19e022f942758c5c804c729c414ef44b4b1bc583b7f28c24b4e722
ep_bytes: 689c154000e8f0ffffff000000000000
timestamp: 2013-08-22 02:23:50

Version Info:

CompanyName: ESN Social Software AB
FileVersion: 0.70.4
ProductVersion: 0,70,4
LegalCopyright: Copyright © ESN Social Software AB 2008-2011
ProductName: ESN Sonar API
FileDescription: ESN Sonar Host Application
InternalName: SonarHost.exe
OriginalFilename: SonarHost.exe
Translation: 0x0409 0x04b0

Win32/Injector.CTIO also known as:

BkavW32.AIDetect.malware1
LionicTrojan.Win32.PonyStealer.4!c
Elasticmalicious (high confidence)
FireEyeGeneric.mg.dc99a05ae75e27b1
McAfeePWSZbot-FKS!DC99A05AE75E
ZillyaBackdoor.NetWiredRC.Win32.1167
SangforTrojan.Win32.Sabsik.FL
K7AntiVirusTrojan ( 005241f71 )
AlibabaBackdoor:Win32/NetWiredRC.e3289acb
K7GWTrojan ( 005241f71 )
Cybereasonmalicious.ae75e2
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Injector.CTIO
APEXMalicious
Paloaltogeneric.ml
CynetMalicious (score: 99)
KasperskyBackdoor.Win32.NetWiredRC.esv
BitDefenderGen:Heur.PonyStealer.im1@raB3jPpG
MicroWorld-eScanGen:Heur.PonyStealer.im1@raB3jPpG
AvastWin32:Agent-BAWJ [Trj]
TencentWin32.Backdoor.Netwiredrc.Wuhd
Ad-AwareGen:Heur.PonyStealer.im1@raB3jPpG
SophosMal/Generic-R + Troj/VBInj-MJ
TrendMicroTROJ_GEN.R002C0PL921
McAfee-GW-EditionBehavesLike.Win32.Generic.ch
EmsisoftGen:Heur.PonyStealer.im1@raB3jPpG (B)
GDataGen:Heur.PonyStealer.im1@raB3jPpG
JiangminBackdoor.NetWiredRC.aej
AviraTR/Dropper.VB.Gen
Antiy-AVLTrojan/Generic.ASMalwS.240B695
GridinsoftRansom.Win32.Sabsik.sa
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
BitDefenderThetaGen:NN.ZevbaF.34084.im1@aaB3jPpG
ALYacGen:Heur.PonyStealer.im1@raB3jPpG
MAXmalware (ai score=87)
VBA32BScope.Backdoor.DarkKomet
TrendMicro-HouseCallTROJ_GEN.R002C0PL921
YandexBackdoor.NetWiredRC!YRCFpK+h4nw
IkarusTrojan.Win32.Injector
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/VBINJECT.SM!tr
AVGWin32:Agent-BAWJ [Trj]
PandaTrj/GdSda.A
CrowdStrikewin/malicious_confidence_80% (W)

How to remove Win32/Injector.CTIO?

Win32/Injector.CTIO removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment