ColdRain[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

ColdRain.exe
Size

1.4MB
MD5

f89a1e79b22e38b99e272920b92ca8ae
SHA1

ff992cba0525b5899909c6dae564ebf9da0a1665
SHA256

362ad49e5ec7e73c16594b6326ce5b1753e2da1db01fd6c8195ef314c51b5671
SHA512

060953a35ea172f5151f78bb67682ceb4c439f7e835df0d3c0ba68341e19a2adc9a2b473f535d6fbe137d4f627cf4bcae7da0e5895a5b7d01aa594b50d8646c6
SSDEEP

24576:H9E6V0T5DNLvrHpbA+ePguiFMNhLAnuo60OegX7Aozptl7ByVi:Ht6T5txePbFhEnI0ErvzdBa

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ColdRain.exe

Files

ColdRain.exe
.exe windows:6 windows x64

2bf71ae9c610d600a4d26255b87cfc89

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
Sleep
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
EnterCriticalSection
LocalFree
IsProcessorFeaturePresent
IsDebuggerPresent
RtlCaptureContext
CloseHandle
FormatMessageA
SetLastError
GetModuleFileNameA
CreateThread
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetStartupInfoW
GetModuleHandleW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
GetCurrentProcess
GlobalAlloc
LeaveCriticalSection
GetLastError
Beep
VerifyVersionInfoW
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GetFileType

user32

GetClientRect
AdjustWindowRectEx
SetCursorPos
ShowWindow
GetDesktopWindow
MessageBoxA
GetWindowRect
UpdateWindow
PostQuitMessage
SetCursor
DispatchMessageA
TranslateMessage
ScreenToClient
EnumDisplayMonitors
GetMonitorInfoA
SetWindowTextW
MonitorFromWindow
LoadCursorA
ReleaseDC
SetWindowLongW
SetWindowLongA
CloseClipboard
ClientToScreen
GetCursorPos
PeekMessageA
OpenClipboard
GetDC
SetForegroundWindow
GetWindowLongW
GetForegroundWindow
ReleaseCapture
SetCapture
GetCapture
GetKeyState
SetFocus
WindowFromPoint
DestroyWindow
IsChild
CreateWindowExA
RegisterClassExA
UnregisterClassA
DefWindowProcA
EmptyClipboard
GetClipboardData
SetClipboardData
SetWindowPos
IsIconic
BringWindowToTop
SetLayeredWindowAttributes

gdi32

GetDeviceCaps

shell32

ShellExecuteA

imm32

ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

msvcp140

?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
_Thrd_detach
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
_Query_perf_frequency
_Query_perf_counter
_Xtime_get_ticks
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?good@ios_base@std@@QEBA_NXZ
_Thrd_sleep
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

d3d9

Direct3DCreate9

normaliz

IdnToAscii

wldap32

ord60
ord45
ord50
ord41
ord22
ord26
ord27
ord301
ord33
ord35
ord79
ord211
ord46
ord217
ord143
ord30
ord200
ord32

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

ws2_32

sendto
ntohl
gethostname
recvfrom
freeaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
getaddrinfo

rpcrt4

UuidCreate
RpcStringFreeA
UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140

__std_exception_destroy
__std_exception_copy
memcmp
strchr
__current_exception
memmove
memcpy
memchr
strstr
__std_terminate
strrchr
__C_specific_handler
memset
_CxxThrowException
__current_exception_context

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-string-l1-1-0

strncmp
strncpy
strpbrk
strcmp
tolower
strcspn
strspn
isupper
_strdup

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_configure_narrow_argv
_invalid_parameter_noinfo_noreturn
exit
_initialize_narrow_environment
_wassert
_initialize_onexit_table
terminate
_c_exit
_beginthreadex
_resetstkoflw
_errno
_exit
_initterm_e
_register_onexit_function
_initterm
_invalid_parameter_noinfo
_get_narrow_winmain_command_line
__sys_nerr
strerror
_set_app_type
_seh_filter_exe
abort
_crt_atexit
_cexit
_getpid

api-ms-win-crt-stdio-l1-1-0

fread
fflush
fgets
_pclose
_popen
fclose
_set_fmode
_wfopen
__acrt_iob_func
ftell
_open
ungetc
setvbuf
_fseeki64
fsetpos
fputc
fgetpos
fgetc
_get_stream_buffer_pointers
_close
_write
_read
__p__commode
fwrite
__stdio_common_vsprintf
__stdio_common_vsscanf
fseek
_lseeki64
fopen
fputs
feof

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
realloc
_set_new_mode
calloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

sinf
_dclass
__setusermatherr
cosf
acosf
fmodf
ceilf
sqrtf

api-ms-win-crt-convert-l1-1-0

strtol
strtod
atoi
strtoull
strtoll
strtoul

api-ms-win-crt-filesystem-l1-1-0

_access
_unlock_file
_unlink
_fstat64
_lock_file
_stat64

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

advapi32

GetLengthSid
GetTokenInformation
IsValidSid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
OpenProcessToken
CopySid

Sections

.text
Size: 753KB - Virtual size: 753KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 595KB - Virtual size: 594KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2bf71ae9c610d600a4d26255b87cfc89

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

imm32

msvcp140

d3d9

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

advapi32

Sections

.text Size: 753KB - Virtual size: 753KB

.rdata Size: 595KB - Virtual size: 594KB

.data Size: 3KB - Virtual size: 6KB

.pdata Size: 33KB - Virtual size: 33KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 753KB - Virtual size: 753KB

.rdata
Size: 595KB - Virtual size: 594KB

.data
Size: 3KB - Virtual size: 6KB

.pdata
Size: 33KB - Virtual size: 33KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 1KB - Virtual size: 1KB