Forts[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Forts.exe
Size

6.9MB
MD5

6199fadc05c3c4bf66d47562e5dc0340
SHA1

28fce47d86c3c103b2d73cdfea0b66f0bcdd0847
SHA256

a4656a892916c08b771633f2c1c76c6c319f5474fcbb9bef424bb31330d43395
SHA512

1137aba4ce6c51d2b37e25dad13ce8917429a2606a653655e4b566c4f91156d3c3a3ff2c4f7d52fe73c359b9af1e5853c853e471ef09a2bc69a1c626f70cba19
SSDEEP

98304:3O2bxDLTmWZ4PVBP7w7AQG8+a4AXC49FYH:3O2l/qWetBP7wT+a4AXC49FYH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Forts.exe

Files

Forts.exe
.exe windows:6 windows x64

bfa8f67622640ecc4b1b749e452063a2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

steam_api64

SteamAPI_Shutdown
SteamGameServer_RunCallbacks
SteamGameServer_Shutdown
SteamInternal_GameServer_Init
SteamAPI_RegisterCallResult
SteamAPI_UnregisterCallResult
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallback
SteamAPI_RunCallbacks
SteamGameServer_GetHSteamUser
SteamInternal_FindOrCreateGameServerInterface
SteamInternal_CreateInterface
SteamInternal_FindOrCreateUserInterface
SteamAPI_Init
SteamAPI_GetHSteamUser
SteamInternal_ContextInit

dbghelp

MiniDumpWriteDump

shlwapi

PathIsDirectoryA
PathIsDirectoryW

ws2_32

recvfrom
listen
accept
freeaddrinfo
WSAIoctl
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
closesocket
bind
socket
htonl
ntohl
sendto
WSACleanup
send
WSAStartup
gethostname
gethostbyname
inet_ntoa
WSAGetLastError
getaddrinfo
ioctlsocket
recv
WSASetLastError
select
__WSAFDIsSet
inet_addr

fmod

?getChannelsPlaying@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAH0@Z
?setOutput@System@FMOD@@QEAA?AW4FMOD_RESULT@@W4FMOD_OUTPUTTYPE@@@Z
?getNumDrivers@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAH@Z
?getDriverInfo@System@FMOD@@QEAA?AW4FMOD_RESULT@@HPEADHPEAUFMOD_GUID@@PEAHPEAW4FMOD_SPEAKERMODE@@2@Z
?setDriver@System@FMOD@@QEAA?AW4FMOD_RESULT@@H@Z
?getDriver@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAH@Z
?setSoftwareChannels@System@FMOD@@QEAA?AW4FMOD_RESULT@@H@Z
?setAdvancedSettings@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAUFMOD_ADVANCEDSETTINGS@@@Z
?getAdvancedSettings@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAUFMOD_ADVANCEDSETTINGS@@@Z
?set3DSettings@System@FMOD@@QEAA?AW4FMOD_RESULT@@MMM@Z
?createStream@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDIPEAUFMOD_CREATESOUNDEXINFO@@PEAPEAVSound@2@@Z
?getMasterChannelGroup@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAPEAVChannelGroup@2@@Z
?getUserData@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@PEAPEAX@Z
?setCallback@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@P6A?AW43@PEAUFMOD_CHANNELCONTROL@@W4FMOD_CHANNELCONTROL_TYPE@@W4FMOD_CHANNELCONTROL_CALLBACK_TYPE@@PEAX3@Z@Z
?setUserData@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@PEAX@Z
?getSoftwareFormat@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAHPEAW4FMOD_SPEAKERMODE@@0@Z
?createDSP@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEBUFMOD_DSP_DESCRIPTION@@PEAPEAVDSP@2@@Z
?getRecordPosition@System@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAI@Z
?isRecording@System@FMOD@@QEAA?AW4FMOD_RESULT@@HPEA_N@Z
?lock@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@IIPEAPEAX0PEAI1@Z
?unlock@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@PEAX0II@Z
?addDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAVDSP@2@@Z
?removeDSP@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@PEAVDSP@2@@Z
?getPosition@Channel@FMOD@@QEAA?AW4FMOD_RESULT@@PEAII@Z
?getCurrentSound@Channel@FMOD@@QEAA?AW4FMOD_RESULT@@PEAPEAVSound@2@@Z
?getLength@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@PEAII@Z
?set3DListenerAttributes@System@FMOD@@QEAA?AW4FMOD_RESULT@@HPEBUFMOD_VECTOR@@000@Z
?setMode@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@I@Z
?createSound@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDIPEAUFMOD_CREATESOUNDEXINFO@@PEAPEAVSound@2@@Z
?set3DMinMaxDistance@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@MM@Z
?release@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?playSound@System@FMOD@@QEAA?AW4FMOD_RESULT@@PEAVSound@2@PEAVChannelGroup@2@_NPEAPEAVChannel@2@@Z
?setVolume@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@M@Z
?setPriority@Channel@FMOD@@QEAA?AW4FMOD_RESULT@@H@Z
?set3DAttributes@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@PEBUFMOD_VECTOR@@0@Z
?setPaused@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_N@Z
?setVolumeRamp@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@_N@Z
?getIndex@Channel@FMOD@@QEAA?AW4FMOD_RESULT@@PEAH@Z
?getChannel@System@FMOD@@QEAA?AW4FMOD_RESULT@@HPEAPEAVChannel@2@@Z
?isPlaying@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@PEA_N@Z
?stop@ChannelControl@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?set3DCustomRolloff@Sound@FMOD@@QEAA?AW4FMOD_RESULT@@PEAUFMOD_VECTOR@@H@Z
?setPosition@Channel@FMOD@@QEAA?AW4FMOD_RESULT@@II@Z

fmodstudio

?unload@Bank@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?getChannelGroup@Bus@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAPEAVChannelGroup@3@@Z
?unlockChannelGroup@Bus@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?lockChannelGroup@Bus@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?setVolume@Bus@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@M@Z
?getPlaybackState@EventInstance@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAW4FMOD_STUDIO_PLAYBACK_STATE@@@Z
?loadBankMemory@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDHW4FMOD_STUDIO_LOAD_MEMORY_MODE@@IPEAPEAVBank@23@@Z
?loadBankFile@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDIPEAPEAVBank@23@@Z
?getParameterByName@System@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEBDPEAM1@Z
?getBus@System@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEBDPEAPEAVBus@23@@Z
?getCoreSystem@System@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAPEAV13@@Z
?flushCommands@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?release@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?initialize@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@HIIPEAX@Z
?getAdvancedSettings@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEAUFMOD_STUDIO_ADVANCEDSETTINGS@@@Z
?setAdvancedSettings@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEAUFMOD_STUDIO_ADVANCEDSETTINGS@@@Z
?create@System@Studio@FMOD@@SA?AW4FMOD_RESULT@@PEAPEAV123@I@Z
?isOneshot@EventDescription@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEA_N@Z
?getEvent@System@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEBDPEAPEAVEventDescription@23@@Z
?setListenerAttributes@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@HPEBUFMOD_3D_ATTRIBUTES@@PEBUFMOD_VECTOR@@@Z
?loadSampleData@EventDescription@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?createInstance@EventDescription@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAPEAVEventInstance@23@@Z
?set3DAttributes@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEBUFMOD_3D_ATTRIBUTES@@@Z
?start@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?release@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?setParameterByName@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDM_N@Z
?getLength@EventDescription@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAH@Z
?getID@EventDescription@Studio@FMOD@@QEBA?AW4FMOD_RESULT@@PEAUFMOD_GUID@@@Z
?setParameterByName@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@PEBDM_N@Z
?update@System@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@XZ
?setVolume@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@M@Z
?stop@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@W4FMOD_STUDIO_STOP_MODE@@@Z
?setPaused@EventInstance@Studio@FMOD@@QEAA?AW4FMOD_RESULT@@_N@Z

devil

ilOriginFunc
ilSetInteger
ilGetInteger
ilSave
ilLoadL
ilGetError
ilBindImage
ilEnable
ilDeleteImage
ilGenImage
ilInit

ilu

iluErrorString
iluInit
iluScale
iluFlipImage
iluGetInteger

ilut

ilutInit
ilutEnable
ilutGLBindTexImage
ilutGLTexImage
ilutGLScreen
ilutGetInteger
ilutGLBindMipmaps
ilutGLBuildMipmaps
ilutDisable
ilutRenderer

advapi32

GetUserNameA
CryptGenRandom
CryptGetHashParam
CryptAcquireContextA
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptReleaseContext

crypt32

CertFreeCertificateContext

wldap32

ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord41
ord50
ord60
ord211
ord46
ord143

normaliz

IdnToAscii

kernel32

GetEnvironmentVariableA
VerSetConditionMask
SleepEx
WriteConsoleW
HeapSize
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
lstrcmpA
GetOEMCP
GetACP
LoadLibraryA
VerifyVersionInfoA
FindFirstFileExW
OutputDebugStringW
FlushFileBuffers
SetStdHandle
GetTimeZoneInformation
MoveFileExW
HeapReAlloc
CreateDirectoryW
EnumSystemLocalesW
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
IsValidCodePage
ExpandEnvironmentStringsA
SetHandleInformation
CreatePipe
CreateProcessW
LoadLibraryW
RtlUnwind
ReadConsoleW
GetConsoleMode
GetConsoleOutputCP
SetFilePointerEx
ReadFile
HeapAlloc
HeapFree
GetModuleFileNameW
WriteFile
GetStdHandle
SetEndOfFile
PeekNamedPipe
GetFileType
GetFileInformationByHandle
CreateFileW
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
RemoveDirectoryW
DeleteFileW
DuplicateHandle
GetTempPathW
GetFileAttributesExW
GetSystemDirectoryA
GetCurrentDirectoryW
SetCurrentDirectoryW
SetEnvironmentVariableW
GetFullPathNameW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetLocalTime
CreateFileA
DeleteFileA
GetFileSizeEx
CloseHandle
CreateDirectoryA
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
GetFileAttributesA
GetFileAttributesW
GetFileTime
GetLastError
GlobalUnlock
GlobalLock
lstrlenW
MoveFileA
FileTimeToSystemTime
MultiByteToWideChar
WideCharToMultiByte
CreateToolhelp32Snapshot
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventA
CreateSemaphoreA
GetModuleFileNameA
CopyFileA
CreateMutexA
ReleaseMutex
GetCurrentProcess
GetProcessId
GetCurrentThreadId
GetProcessHeap
HeapSetInformation
SetThreadAffinityMask
GetCurrentThread
Module32First
Module32Next
RemoveDirectoryA
GetModuleHandleA
Sleep
GlobalMemoryStatusEx
GetModuleHandleW
GetProcAddress
OutputDebugStringA
SetThreadPriority
GetDateFormatA
GetTimeFormatA
CompareFileTime
GetShortPathNameW
TerminateThread
GetSystemInfo
WaitForMultipleObjects
GetExitCodeProcess
SystemTimeToTzSpecificLocalTime
GetUserDefaultLCID
GetLocaleInfoA
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
TryEnterCriticalSection
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
WaitForSingleObjectEx
SwitchToThread
GetExitCodeThread
FormatMessageA
GetStringTypeW
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
GetTickCount64
EncodePointer
DecodePointer
CompareStringEx
GetCPInfo
LCMapStringEx
GetLocaleInfoEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
CreateEventW
GetCurrentProcessId
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
GetDriveTypeW

user32

MessageBoxW
SetProcessDPIAware
LoadIconA
LoadCursorA
RegisterClassExW
AdjustWindowRectEx
CreateWindowExW
SetWindowPos
SetWindowTextA
SendMessageA
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
CallNextHookEx
SetWindowsHookExA
UnhookWindowsHookEx
DefWindowProcA
PeekMessageA
GetMessageA
DispatchMessageA
RegisterClassA
CreateWindowExA
GetWindowLongPtrA
SystemParametersInfoA
ShowWindow
PostQuitMessage
GetClientRect
DefWindowProcW
SetFocus
FlashWindowEx
GetClipboardData
ReleaseDC
ChangeDisplaySettingsExA
SetForegroundWindow
FindWindowW
MessageBoxA
DestroyWindow
EnumDisplayMonitors
GetDC
EnumDisplaySettingsA
CloseClipboard
OpenClipboard
EnumDisplaySettingsExA
GetWindowRect
GetWindowThreadProcessId
EnumWindows
BringWindowToTop
PtInRect
WindowFromPoint
ScreenToClient
ClientToScreen
GetCursorPos
SetCursorPos
GetActiveWindow
ShowCursor
GetKeyState
ClipCursor
GetSystemMetrics
GetMonitorInfoA

gdi32

SetPixelFormat
DescribePixelFormat
ChoosePixelFormat
SwapBuffers
GetDeviceCaps

shell32

ShellExecuteA
ShellExecuteExA
ShellExecuteW
SHFileOperationW

opengl32

glPopAttrib
glPushAttrib
glGenTextures
glPushClientAttrib
glPopClientAttrib
glViewport
glVertex3fv
glVertex3f
glVertex2fv
glVertex2f
glTranslatef
glTexSubImage2D
glTexParameteri
glTexParameterf
glTexImage2D
glTexEnvf
glTexCoord2fv
glTexCoord2f
glShadeModel
glScissor
glScalef
glRotatef
glReadPixels
glReadBuffer
glPushMatrix
glPopMatrix
wglGetCurrentDC
glPixelStorei
glOrtho
glNewList
glMultMatrixf
glMatrixMode
glLoadMatrixf
glLoadIdentity
glLineWidth
glHint
glGetString
glGetIntegerv
glGetFloatv
glGenLists
glFlush
glEndList
glEnd
glEnable
glDisable
glDepthFunc
glDeleteTextures
glDeleteLists
glColorMask
glColor4fv
glColor4f
glClearColor
glClear
glCallList
glBlendFunc
glBindTexture
glPolygonMode
glBegin
glAlphaFunc
wglMakeCurrent
wglGetProcAddress
wglGetCurrentContext
wglCreateContext

dinput8

DirectInput8Create

winmm

waveInStop
waveInClose

imm32

ImmGetContext
ImmAssociateContext

Sections

.text
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 90KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 130KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bind
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bfa8f67622640ecc4b1b749e452063a2

Headers

DLL Characteristics

File Characteristics

Imports

steam_api64

dbghelp

shlwapi

ws2_32

fmod

fmodstudio

devil

ilu

ilut

advapi32

crypt32

wldap32

normaliz

kernel32

user32

gdi32

shell32

opengl32

dinput8

winmm

imm32

Sections

.text Size: 5.3MB - Virtual size: 5.3MB

.rdata Size: 1.0MB - Virtual size: 1.0MB

.data Size: 90KB - Virtual size: 161KB

.pdata Size: 193KB - Virtual size: 193KB

_RDATA Size: 9KB - Virtual size: 8KB

.rsrc Size: 130KB - Virtual size: 130KB

.reloc Size: 21KB - Virtual size: 20KB

.bind Size: 201KB - Virtual size: 201KB

.text
Size: 5.3MB - Virtual size: 5.3MB

.rdata
Size: 1.0MB - Virtual size: 1.0MB

.data
Size: 90KB - Virtual size: 161KB

.pdata
Size: 193KB - Virtual size: 193KB

_RDATA
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 130KB - Virtual size: 130KB

.reloc
Size: 21KB - Virtual size: 20KB

.bind
Size: 201KB - Virtual size: 201KB