colibri | 35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211

General

Target

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe
Size

447KB
MD5

e85af8c3447525f61e1f6c04e6bef2b4
SHA1

18c53278eeff39b7cb8b491a9f83c8805d06f78e
SHA256

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211
SHA512

7c380b2b49ff1d132976cb17fcfb45c21cef1c2bbc004d996e0bbd08316230e898e3112895a7c96d4a212a832dcd288cf1d54c120c8e7c6bacaff2872d3efdec

Score

10^/10

colibri build1 loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 1 IoCs

Processes:

tmp8300.tmp.exe

pid process

3604 tmp8300.tmp.exe

pid	process
3604	tmp8300.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe

description	pid	process	target process
PID 1964 wrote to memory of 3604	1964	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp8300.tmp.exe
PID 1964 wrote to memory of 3604	1964	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp8300.tmp.exe
PID 1964 wrote to memory of 3604	1964	35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe	tmp8300.tmp.exe

C:\Users\Admin\AppData\Local\Temp\35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe
"C:\Users\Admin\AppData\Local\Temp\35cc13b7eb863c2affc3a0f4ace204049f587291607ee56eea46d306eebc6211.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmp8300.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8300.tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:3604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8300.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8300.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
memory/1964-130-0x0000000000560000-0x00000000005D2000-memory.dmp

Filesize
456KB

Download
memory/1964-131-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/1964-135-0x000000001DE20000-0x000000001DF2A000-memory.dmp

Filesize
1.0MB

Download
memory/1964-136-0x000000001BC90000-0x000000001BCA2000-memory.dmp

Filesize
72KB

Download
memory/1964-137-0x000000001DD10000-0x000000001DD4C000-memory.dmp

Filesize
240KB

Download
memory/3604-132-0x0000000000000000-mapping.dmp

Download
memory/3604-138-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing