MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
SHA3-384 hash: 543a041c6a0fe3ae79ad89c98aaddd659be1f15271136a7b1c4ca66d83d995c0e3f4e283b7fc8573b8ed0160f988d1ac
SHA1 hash: b1859ca3736cc8db365f81b17245d747fb6f4f29
MD5 hash: 84657efa0b64174db53c6f690ee1130e
humanhash: solar-cold-one-august
File name:CyberFortress.exe
Download: download sample
File size:74'630'730 bytes
First seen:2023-12-07 19:01:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:oHpHvAnclquhQdOza6wD/iamMXsTw6KI7PbVpOgqm64YBY99v/I:oVGcoLdOzalDaamksTw6fDVpOgxKY9Jg
TLSH T1A5F7330C4BB48F27CD40643C1CB29AAE56AFAD79020F9B33755C39B5DA77B8399412C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon ccb2b970f8f9f0e4
Reporter Xev
Tags:BbyStealer exe


Avatar
NIXLovesCooper
Distributed via: https://vpncyberfortress.com/
https://cdn.discordapp.com/attachments/1178066284966056009/1182121604843569222/CyberFortressVPN.zip?ex=65838b89&is=65711689&hm=568c88b52d96226a7f42744aceb5bf3a68112021c5c51bafedd1cad369721b20&

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
GR GR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the window
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6572167b3636548f37411b18/reports/bf76b824-f283-4942-a0c5-b71ea5543a92/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1355742
Signature
Drops large PE files
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355742 Sample: CyberFortress.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 60 52 rufflesrefined.com 2->52 56 Multi AV Scanner detection for dropped file 2->56 8 CyberFortress.exe 11 2->8         started        13 CyberFortress.exe 11 192 2->13         started        15 Updater.exe 2->15         started        signatures3 process4 dnsIp5 54 rufflesrefined.com 172.67.218.203, 443, 49736, 49737 CLOUDFLARENETUS United States 8->54 34 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32+ 8->34 dropped 36 f151bc01-6b49-448b...9b1fe8bb2d.tmp.node, PE32+ 8->36 dropped 38 b0d810f2-61e3-454b...35ce4589e7.tmp.node, PE32+ 8->38 dropped 46 3 other malicious files 8->46 dropped 58 Drops PE files to the startup folder 8->58 60 Tries to harvest and steal browser information (history, passwords, etc) 8->60 62 Drops large PE files 8->62 17 CyberFortress.exe 1 8->17         started        20 cmd.exe 1 8->20         started        22 cmd.exe 8->22         started        24 CyberFortress.exe 1 8->24         started        40 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 13->40 dropped 42 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 13->42 dropped 44 C:\Users\user\AppData\Local\...\libGLESv2.dll, PE32+ 13->44 dropped 48 14 other files (5 malicious) 13->48 dropped file6 signatures7 process8 dnsIp9 50 chrome.cloudflare-dns.com 162.159.61.3, 443, 49851 CLOUDFLARENETUS United States 17->50 26 tasklist.exe 1 20->26         started        28 conhost.exe 20->28         started        30 tasklist.exe 1 22->30         started        32 conhost.exe 22->32         started        process10
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvoqaihsd5de3p3ofjb63dam7qbeugezkpiz44jkmxlb3qre3k2q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231207-xpbg8aee73/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zip 53ee6332f7d557bbc438fbce2d121700ec1fdd229016a98b4e1138059b0f9035

Executable exe 555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5

(this sample)

  
Delivery method
Distributed via web download
  
Dropped by
SHA256 53ee6332f7d557bbc438fbce2d121700ec1fdd229016a98b4e1138059b0f9035
  
Dropped by
MD5 a565115b915c19305138045c3e5bad75

Comments