Overview

overview

10

Static

static

cunp.exe

windows7_x64

10

cunp.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cunp.exe

  • Size

    24KB

  • Sample

    220203-rvqansade6

  • MD5

    acaf8014dacc2e49d5180b1574dba7af

  • SHA1

    be6ca826d012944c664918e8981c063f5a1c968a

  • SHA256

    1b2eaff481b083525a42635e86bbeb6ca0e7c1c9c3d880ba29754b9a2277b962

  • SHA512

    bd090fda0733743ad8c28cd8ee13b33cf69723ad5fa1e08c89636a6733afdabcb732fdf784bdcca5f15485293beb654b34a91beff54d7047befbcca25f0036f2

Score
10/10
colibritraffic_docloaderpersistencesuricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

traffic_doc

C2

http://188.130.139.47/gate.php

Targets

    • Target

      cunp.exe

    • Size

      24KB

    • MD5

      acaf8014dacc2e49d5180b1574dba7af

    • SHA1

      be6ca826d012944c664918e8981c063f5a1c968a

    • SHA256

      1b2eaff481b083525a42635e86bbeb6ca0e7c1c9c3d880ba29754b9a2277b962

    • SHA512

      bd090fda0733743ad8c28cd8ee13b33cf69723ad5fa1e08c89636a6733afdabcb732fdf784bdcca5f15485293beb654b34a91beff54d7047befbcca25f0036f2

    Score
    10/10
    colibritraffic_docloadersuricatapersistence

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

      suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

      suricata

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata

    • Sets service image path in registry

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks