SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coldseal (Back to overview)

Cold$eal

aka: ColdSeal

Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal).
It was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload.
Note: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.

References
2019-03-13MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20190313:fake:b89ed04, author = {MyOnlineSecurity}, title = {{Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware}}, date = {2019-03-13}, organization = {MyOnlineSecurity}, url = {https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/}, language = {English}, urldate = {2020-11-26} } Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware
Cold$eal Gandcrab
2018-03-04Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
Cold$eal GootKit
2017-08-20MyOnlineSecurityMyOnlineSecurity
@online{myonlinesecurity:20170820:return:cf54ed9, author = {MyOnlineSecurity}, title = {{return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload}}, date = {2017-08-20}, organization = {MyOnlineSecurity}, url = {http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/}, language = {English}, urldate = {2020-11-26} } return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload
Cold$eal Locky
2012-01-08XyliBoxXylitol
@online{xylitol:20120108:coldeal:2a4bafe, author = {Xylitol}, title = {{Cold$eal: 'Situation is under control'}}, date = {2012-01-08}, organization = {XyliBox}, url = {https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html}, language = {English}, urldate = {2020-11-26} } Cold$eal: 'Situation is under control'
Cold$eal
2012-01-06XyliBoxXylitol
@online{xylitol:20120106:cracking:8add3f8, author = {Xylitol}, title = {{Cracking Cold$eal 5.4.1 FWB++}}, date = {2012-01-06}, organization = {XyliBox}, url = {https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html}, language = {English}, urldate = {2020-11-26} } Cracking Cold$eal 5.4.1 FWB++
Cold$eal
Yara Rules
[TLP:WHITE] win_coldseal_w0 (20201127 | High amount of delimiter strings, show that this file contains a payload encrypted using Cold$eal Project. This will hit on a lot of ransomware like Cerber, Locky, GandCrab.)
rule win_coldseal_w0 {
	meta:
		author = "mho <info@mha.bka.de>"
		description = "High amount of delimiter strings, show that this file contains a payload encrypted using Cold$eal Project. This will hit on a lot of ransomware like Cerber, Locky, GandCrab."
        note = "Usually the files are compressed with upx or pecompact when found in the wild. This rule will only work on decompressed samples or using virustotal.com retrohunt."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal"
        malpedia_rule_date = "20201127"
        malpedia_hash = ""
        malpedia_version = "20201127"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$delim01 = {23 23 24 2A 2D 2A 2E 3B 2E 3F}
		$delim02 = {16 89 AB A7 F2 C1 19 17 28 EC}
		$delim03 = {32 44 21 AF 7C 3F CA E5 21 69}
		$delim04 = "*)#/&*"
		$delim05 = "/)#**&"
		$delim06 = {F1 E9 AF 29 4B}
		$delim07 = {1C 56 7D 3C 64 1E 46 55 64}
		$delim08 = {A5 65 BC 92 2C}
		$delim09 = ")#&**/"
		$delim10 = "*#/*)&"
		$delim11 = {2C 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 65}
		$delim12 = {2A 23 22 A2 A2 F2 FA 2D 62}
		$delim13 = {2A 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 12}
		$delim14 = {13 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 31}
		$delim15 = {46 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 64}
		$delim16 = {85 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 58}
		$delim17 = {77 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 77}
		$delim18 = {12 56 9F E4 98 A8 98 65 AF C5}
		$delim19 = {4A 8E D7 1C D0 E0 D0 9D E7 FD}
                $delim20 = {46 59 22 CB 92 CB 92 92 2C BC A5 C6 BC A5 65 CA 56 52 A5 64}
	condition:
		for any of ($delim*) : (# > 6)
}
Download all Yara Rules