MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117
SHA3-384 hash:	5087efe987325707fb31e1c8c84ea1df442db9ce8585b0255e4840461d3d89eabba3ebb8a4784e191cac9439545ecdd0
SHA1 hash:	47ee8a14a178df4c304f03f5dc46623af6c65c83
MD5 hash:	fb2282398b87a96d584f5731ad8d6aed
humanhash:	violet-salami-bacon-edward
File name:	Coolex.dll
Download:	download sample
File size:	1'499'136 bytes
First seen:	2025-02-14 07:07:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:G6OmqcT7TsTEgc5+uaruzqKuAUlJj/+wIJU5W+D0mM3xL:G6Om1T7TsTEgcx9qKqJj/pJ9uBL
TLSH	T1F965A3933B058D82D63613F9D192C2785363AECA2232D30B29F5FEA7BDB23931D45546
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
File icon (PE):
dhash icon	8460f97878f16008
Reporter	dsadsasd
Tags:	exe stealer loader

dsadsasd

The website coolexcall.pro presented itself as a platform for job seekers, enticing potential candidates with appealing offers for employment. Here’s a detailed breakdown of the incident:

Misleading Job Offers:
The site advertised employment opportunities to attract users. The service appeared legitimate at first glance, promising to connect job seekers with employers.

Initiating Contact via App Calls:
Once a user registered or expressed interest in a job, the platform arranged a call through its dedicated application. This call was positioned as a step in the job interview or onboarding process.

Exploitation Through Invite Code:
During the call, users received an invite code that triggered the automatic download of a malicious software known as a malware stealer. This code exploited vulnerabilities in the application, bypassing standard security measures.

Malware Stealer Operation:
The malware was designed to covertly harvest sensitive information from the user’s device. This includes login credentials, financial data, and other personal details, which could later be used for unauthorized financial transactions or identity theft.

Additional Company and Service Details:

The Company: The entity behind coolexcall.pro operated under the guise of a recruitment service. However, evidence suggests that the company’s primary intent was to propagate malware rather than facilitate genuine job placements.
The Product/Service Offered: On the surface, the service was marketed as a platform that connects job seekers with potential employers. In reality, it used this façade to build trust and lure users into a cyber trap. The product’s underlying mechanism, involving the invite code during app calls, was exploited to deploy malicious software on unsuspecting users’ devices.
Conclusion:
What happened was a calculated cyber-attack where a fake job recruitment service was used as a cover to distribute harmful malware. The deceptive strategy relied on social engineering to lower the victim's guard, making the malware download appear as a routine part of the job application process. This breach not only endangered personal and financial information but also raised serious concerns about the security protocols in place on similar platforms.

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Coolex.dll

Verdict:

No threats detected

Analysis date:

2025-02-14 07:36:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b3084f3f-9c17-4f57-aadb-19b0b4d4f19f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aeebdda0fd713c335acab6

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cryptor_detected masquerade net_reactor obfuscated obfuscated obfuscated packed

Link:

https://www.filescan.io/uploads/67aeebdbfc59120fe522ad2d/reports/d3dfb5d8-3269-482b-a764-39b037c5798e/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6037459c-7ff4-4ccd-9c2a-21ae899f7865

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1614882

Signature

.NET source code contains potential unpacker

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

72%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lxx3mukyjyjl53xmkrbkzjsj5azoekpx3mplyz5sn4mobckq2elq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250214-hx9yesxkcz/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

.NET Reactor proctector

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/07883429-c50f-473a-ae6d-96bac134c447

Unpacked files

SH256 hash:

5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117

MD5 hash:

fb2282398b87a96d584f5731ad8d6aed

SHA1 hash:

47ee8a14a178df4c304f03f5dc46623af6c65c83

Link:

https://www.unpac.me/results/e1188e22-a67b-496d-87ab-9d0dfbcedb61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DotNet_Reactor Create hunting rule
Author:	@bartblaze
Description:	Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5defb651584e12beeeec5442aca649e832e229f7db1ebc67b26f18e08950d117

(this sample)

Link

https://www.dropbox.com/scl/fi/2pxd5yypp23kxhcq0ug3n/Coolex-Setup.exe?rlkey=gzx7ofk1mzg07544macdlt038&st=x81nhex9&dl=1

Link

https://www.dropbox.com/scl/fi/k0n37pkqi8ci4io5s87so/Coolex.dmg?rlkey=xy6cmwnwhd3r9f28xshfp6x47&st=m2ceeivb&dl=1

Dropping

stealers

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample