ColdWare[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

ColdWare.exe
Size

3.5MB
MD5

0d5bc02b62f457cf716c0c4d0d1b43a5
SHA1

f36b24a1c7c96c4c14f9d6da16378bb6db977279
SHA256

706f76424b90046bb7663e376d95c06a5fa5cd4c3471054ca1367bbc7d59f7aa
SHA512

3983d0350f7e8f75f556193e2f899c10115baf581c709b9e1d09d5e0943a29be13e729fb7bdb1b28de15ab8ecfeb21fe8ad74113d8c3f741767d51ccbc5b4b47
SSDEEP

49152:OiZJMKqHPYlJPk3zhlkcUIPlVmnugqCAKrqUhGoEIFU79WkuXDVPOn:RTmYbPacuOFBtU5WLXxP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ColdWare.exe

Files

ColdWare.exe
.exe windows:6 windows x64 arch:x64

9de95942b708326cba328a88751502e5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Serfux\Downloads\ColdWare Perm (PLS I NEED UEFI) (1)\ColdWare Perm (PLS I NEED UEFI)\examples\example_win32_directx9\ignore\ColdWare Perm.pdb

Imports

d3d9

Direct3DCreate9

kernel32

RtlLookupFunctionEntry
RtlVirtualUnwind
AreFileApisANSI
UnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetFileInformationByHandleEx
SetFileInformationByHandle
ReleaseSRWLockExclusive
SleepConditionVariableSRW
WakeAllConditionVariable
HeapDestroy
LocalFree
SetFileAttributesW
GetConsoleWindow
GetLastError
GetFileAttributesW
CreateDirectoryW
GetTickCount64
CreateFileW
FindClose
GetTempPathW
SetFilePointer
WriteFile
FindNextFileW
FindFirstFileW
GetLogicalDrives
ReadFile
SetUnhandledExceptionFilter
GetModuleHandleW
GetSystemInfo
CreateFileA
Sleep
OpenProcess
TerminateProcess
VirtualAlloc
VirtualFree
VirtualProtect
CheckRemoteDebuggerPresent
IsDebuggerPresent
GetTickCount
GetThreadContext
LoadLibraryW
GetFileAttributesExW
FindFirstFileExW
HeapAlloc
HeapReAlloc
HeapFree
GetProcessHeap
MapViewOfFile
GetCurrentDirectoryW
GetLocaleInfoEx
WaitForMultipleObjects
CloseHandle
Process32FirstW
GetCurrentThread
OutputDebugStringW
Process32NextW
CreateToolhelp32Snapshot
GetCurrentProcess
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
CreateThread
CreateFileMappingW
GetModuleFileNameA
GetModuleFileNameW
GlobalLock
GlobalFree
QueryFullProcessImageNameW
SetLastError
FormatMessageA
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
CreateFileMappingA
UnmapViewOfFile
RtlCaptureContext
GlobalAlloc
MultiByteToWideChar
GetFileSizeEx
AcquireSRWLockExclusive
GetFileType
PeekNamedPipe

user32

GetClientRect
ReleaseCapture
SetCursorPos
GetCursorPos
GetMessageExtraInfo
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
SetCursor
SetCapture
LoadCursorW
IsWindowUnicode
GetWindowLongW
DefWindowProcW
GetWindowRect
DestroyWindow
CreateWindowExW
SetClipboardData
GetForegroundWindow
GetKeyState
wsprintfW
UpdateWindow
PostQuitMessage
LoadIconW
TranslateMessage
SetLayeredWindowAttributes
MoveWindow
PeekMessageW
SetWindowLongA
DispatchMessageW
ShowWindow
RegisterClassExW
UnregisterClassW
GetSystemMetrics
MessageBoxA

advapi32

CryptAcquireContextA
GetLengthSid
GetTokenInformation
InitializeAcl
CryptEncrypt
CryptImportKey
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegQueryValueExW
RegCreateKeyW
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
SetEntriesInAclW
RegCreateKeyExW
SetNamedSecurityInfoW
RegSetValueExW
OpenProcessToken
FreeSid
AddAccessAllowedAce

shell32

SHGetFolderPathW
SHGetMalloc
ShellExecuteW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteA

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx
CoSetProxyBlanket

oleaut32

SysFreeString
SysAllocString
VariantClear

msvcp140

?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??7ios_base@std@@QEBA_NXZ
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??Bid@locale@std@@QEAA_KXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
_Thrd_join
_Query_perf_counter
_Thrd_id
?_Syserror_map@std@@YAPEBDH@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Query_perf_frequency
_Thrd_detach
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext
ImmSetCandidateWindow

dwmapi

DwmExtendFrameIntoClientArea

obsidium64

ord23

shlwapi

StrStrW
PathFindFileNameW
SHDeleteValueW
SHDeleteKeyW
PathFileExistsW

d3dx9_43

D3DXCreateTextureFromFileInMemoryEx

normaliz

IdnToAscii

wldap32

ord30
ord143
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord301
ord200

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA

ws2_32

WSACleanup
closesocket
recv
send
WSAStartup
accept
htonl
WSASetLastError
socket
WSAGetLastError
listen
bind
connect
ioctlsocket
getpeername
getsockname
getsockopt
htons
WSAIoctl
ntohl
gethostname
ntohs
sendto
recvfrom
freeaddrinfo
getaddrinfo
setsockopt
select
__WSAFDIsSet

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception
strchr
_CxxThrowException
memcmp
memchr
memset
memmove
memcpy
__intrinsic_setjmp
strrchr
wcsstr
__C_specific_handler
strstr
__std_terminate
__std_exception_copy
__std_exception_destroy
__current_exception_context
longjmp

api-ms-win-crt-stdio-l1-1-0

fread
_set_fmode
_lseeki64
__stdio_common_vsscanf
__p__commode
fwrite
feof
fputs
_read
_write
fsetpos
_close
_open
fclose
_popen
_pclose
fgets
ftell
__stdio_common_vfprintf
_get_stream_buffer_pointers
_fseeki64
fflush
ungetc
__acrt_iob_func
setvbuf
fgetpos
_wfopen
__stdio_common_vswprintf
fgetc
__stdio_common_vsprintf
fopen
fputc
fseek

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-string-l1-1-0

strncpy
iswctype
strcmp
_strdup
isupper
_wcsicmp
strncmp
tolower
strpbrk
strspn
strcspn

api-ms-win-crt-heap-l1-1-0

malloc
realloc
calloc
free
_set_new_mode
_callnewh

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo
_errno
terminate
_beginthreadex
abort
strerror
__sys_nerr
_resetstkoflw
exit
_invalid_parameter_noinfo_noreturn
_wassert
_register_thread_local_exe_atexit_callback
_c_exit
_getpid
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
system

api-ms-win-crt-convert-l1-1-0

strtod
strtoul
atoi
strtoll
strtoull
strtol

api-ms-win-crt-math-l1-1-0

ceilf
cosf
fmodf
pow
powf
sqrtf
sinf
sqrt
_dclass
__setusermatherr
acosf

api-ms-win-crt-time-l1-1-0

_localtime64
strftime
_time64
_gmtime64

api-ms-win-crt-filesystem-l1-1-0

_stat64
_lock_file
_unlock_file
_fstat64
_access
_unlink

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-environment-l1-1-0

getenv

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 364KB - Virtual size: 363KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9de95942b708326cba328a88751502e5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

advapi32

shell32

ole32

oleaut32

msvcp140

imm32

dwmapi

obsidium64

shlwapi

d3dx9_43

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 364KB - Virtual size: 363KB

.data Size: 1.9MB - Virtual size: 1.9MB

.pdata Size: 55KB - Virtual size: 55KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 364KB - Virtual size: 363KB

.data
Size: 1.9MB - Virtual size: 1.9MB

.pdata
Size: 55KB - Virtual size: 55KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 5KB - Virtual size: 4KB