General

  • Target

    35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.bin

  • Size

    447KB

  • Sample

    220524-ph3n5aabb6

  • MD5

    e85af8c3447525f61e1f6c04e6bef2b4

  • SHA1

    18c53278eeff39b7cb8b491a9f83c8805d06f78e

  • SHA256

    35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211

  • SHA512

    7c380b2b49ff1d132976cb17fcfb45c21cef1c2bbc004d996e0bbd08316230e898e3112895a7c96d4a212a832dcd288cf1d54c120c8e7c6bacaff2872d3efdec

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.bin

    • Size

      447KB

    • MD5

      e85af8c3447525f61e1f6c04e6bef2b4

    • SHA1

      18c53278eeff39b7cb8b491a9f83c8805d06f78e

    • SHA256

      35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211

    • SHA512

      7c380b2b49ff1d132976cb17fcfb45c21cef1c2bbc004d996e0bbd08316230e898e3112895a7c96d4a212a832dcd288cf1d54c120c8e7c6bacaff2872d3efdec

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

    • suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata: ET MALWARE Win32/Colibri Loader Activity M2

    • suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata: ET MALWARE Win32/Colibri Loader Activity M3

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks