MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
SHA3-384 hash: fa10e15f12418e6f624a189cbdb7fd0bfd19562d109930ab8b9003d173eb58edecba356d41db77216d2e4d779305be7b
SHA1 hash: 572d425610224a7f9e8874abd2b0b7d76cd22bf2
MD5 hash: f63c3b09477f0fd95a747f9491044923
humanhash: hamper-one-early-hydrogen
File name:Cohr.exe
Download: download sample
File size:1'973'248 bytes
First seen:2025-01-23 17:00:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db509f0d296d268770c3b20bf5581bd7 (1 x DiskWriter)
ssdeep 24576:sHnaHPB9cf8XFqztAWByVFdk52o/pQ0WfMQ1jEqpFfrRV+:BH59cf8XFqztAWByVFdOF/Gn1YIdrRV+
Threatray 37 similar samples on MalwareBazaar
TLSH T17995B0E2BD429CA2E450A13689FD822402BBEEE4578E7B5709747D360E731D27DBD306
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon b6a28fb548b9312b
Reporter MrMalware
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Tiggre-7061386-1
Create hunting rule

SecuriteInfo.com.Dropped.Trojan.Agent.EFKO.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Low-level writing
Launching a tool to kill processes
Rewriting of the hard drive's master boot record
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypt packed packed packer_detected purebasic sality xpack
Link:
https://www.filescan.io/uploads/6792764d3d7544eea6b63b4a/reports/6da45261-4386-4798-940b-63c4383ddf51/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoViper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d58cb3ab-5919-406f-858b-4f0e64c266b6
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1597825
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Infects the boot sector of the hard disk
Infects the VBR (Volume Boot Record) of the hard disk
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Writes directly to the primary disk partition (DR0)
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1597825 Sample: Cohr.exe Startdate: 23/01/2025 Architecture: WINDOWS Score: 100 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Machine Learning detection for sample 2->36 38 5 other signatures 2->38 7 Cohr.exe 14 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\...\noise.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\Temp\...\mbr.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\ScreenShuffle.exe, PE32 7->26 dropped 28 5 other malicious files 7->28 dropped 10 cmd.exe 3 2 7->10         started        process5 process6 12 mbr.exe 10->12         started        16 noise.exe 10->16         started        18 PatBlt2.exe 10->18         started        20 13 other processes 10->20 file7 30 \Device\Harddisk0\DR0, DOS/MBR 12->30 dropped 40 Antivirus detection for dropped file 12->40 42 Multi AV Scanner detection for dropped file 12->42 44 Machine Learning detection for dropped file 12->44 46 3 other signatures 12->46 signatures8
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc/
Threat name:
Win32.Trojan.MintDreidel
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 17:16:51 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y2ujhcu5lia2yu3yboiofdlhfbdoxggpndsnqy6u2r57prjr66a._file
Verdict:
malicious
Label(s):
koadic
Create hunting rule
coviper
Create hunting rule
Similar samples:
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
4d5ee9d005508709e50b4a44656d0765c4c1e0e050bc8c20f10748d2a58cef45
8fc9d465bcff096b9b7b2a47e093d1e178a8b657749f763ab406b93b3c0c9359
9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd
d15393560f3366bf8e1cc8d9eca6e5bfb5a35e26d7217e4470fd121bb12d6ab7
d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
ee7023733d42f6c5eb92a39f3746318100d74e93c01358b9d658eac84e9d87ab
error
fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
bootkit discovery persistence
Link:
https://tria.ge/reports/250123-vjh9rswnes/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Dropper.Tiggre-7061386-1
YARA:
n/a
Link:
https://app.threat.zone/submission/e349469b-253b-45ce-a83c-0693469b828b
Unpacked files
SH256 hash:
1b4dce776992e1d51df9de1bdbee53bd38691070885f016b728a65579fa8ccc8
MD5 hash:
76a1a0e8eeae163bec539c7263279ae4
SHA1 hash:
a8435417cecd901fe9c9b96c0e828449e1569306
Detections:
win_coviper_auto
Create hunting rule
Link:
https://www.unpac.me/results/d551bc9a-bb58-4504-a1af-fc7f3b34d682/
SH256 hash:
d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
MD5 hash:
f63c3b09477f0fd95a747f9491044923
SHA1 hash:
572d425610224a7f9e8874abd2b0b7d76cd22bf2
Link:
https://www.unpac.me/results/d551bc9a-bb58-4504-a1af-fc7f3b34d682/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d635449c54ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.DLL::timeBeginPeriod
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::RemoveDirectoryA
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::PeekMessageA
USER32.DLL::CreateWindowExA

Comments