colibri | 35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211

General

Target

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe
Size

447KB
MD5

e85af8c3447525f61e1f6c04e6bef2b4
SHA1

18c53278eeff39b7cb8b491a9f83c8805d06f78e
SHA256

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211
SHA512

7c380b2b49ff1d132976cb17fcfb45c21cef1c2bbc004d996e0bbd08316230e898e3112895a7c96d4a212a832dcd288cf1d54c120c8e7c6bacaff2872d3efdec

Score

10^/10

colibri build1 loader suricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata
Executes dropped EXE 4 IoCs

Processes:

tmp94A2.tmp.exedllhost.exedllhost.exedllhost.exe

pid process

1984 tmp94A2.tmp.exe
620 dllhost.exe
2012 dllhost.exe
1592 dllhost.exe
Loads dropped DLL 1 IoCs

Processes:

tmp94A2.tmp.exe

pid process

1984 tmp94A2.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

364 schtasks.exe

pid	process
1984	tmp94A2.tmp.exe
620	dllhost.exe
2012	dllhost.exe
1592	dllhost.exe

pid	process
1984	tmp94A2.tmp.exe

pid	process
364	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exetmp94A2.tmp.exetaskeng.exe

description	pid	process	target process
PID 1944 wrote to memory of 1984	1944	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp94A2.tmp.exe
PID 1944 wrote to memory of 1984	1944	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp94A2.tmp.exe
PID 1944 wrote to memory of 1984	1944	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp94A2.tmp.exe
PID 1944 wrote to memory of 1984	1944	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp94A2.tmp.exe
PID 1984 wrote to memory of 364	1984	tmp94A2.tmp.exe	schtasks.exe
PID 1984 wrote to memory of 364	1984	tmp94A2.tmp.exe	schtasks.exe
PID 1984 wrote to memory of 364	1984	tmp94A2.tmp.exe	schtasks.exe
PID 1984 wrote to memory of 364	1984	tmp94A2.tmp.exe	schtasks.exe
PID 1984 wrote to memory of 620	1984	tmp94A2.tmp.exe	dllhost.exe
PID 1984 wrote to memory of 620	1984	tmp94A2.tmp.exe	dllhost.exe
PID 1984 wrote to memory of 620	1984	tmp94A2.tmp.exe	dllhost.exe
PID 1984 wrote to memory of 620	1984	tmp94A2.tmp.exe	dllhost.exe
PID 1732 wrote to memory of 2012	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 2012	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 2012	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 2012	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 1592	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 1592	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 1592	1732	taskeng.exe	dllhost.exe
PID 1732 wrote to memory of 1592	1732	taskeng.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe
"C:\Users\Admin\AppData\Local\Temp\35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\tmp94A2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp94A2.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:364
- - C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
    "C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:620

C:\Windows\system32\taskeng.exe
taskeng.exe {2E4AACF8-B3CD-4B50-B405-ACAC3DA9D60A} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
  C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
  C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
  2⤵
  - Executes dropped EXE
  PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp94A2.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94A2.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
memory/364-60-0x0000000000000000-mapping.dmp

Download
memory/620-62-0x0000000000000000-mapping.dmp

Download
memory/1592-70-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000000A50000-0x0000000000AC2000-memory.dmp

Filesize
456KB

Download
memory/1944-55-0x0000000000420000-0x0000000000458000-memory.dmp

Filesize
224KB

Download
memory/1984-64-0x0000000000110000-0x0000000000126000-memory.dmp

Filesize
88KB

Download
memory/1984-58-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/2012-66-0x0000000000000000-mapping.dmp

Download
memory/2012-69-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads