Overview

overview

10

Static

static

792536cb7e...2f.exe

windows7_x64

10

792536cb7e...2f.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.bin

  • Size

    425KB

  • Sample

    220524-ph5hqaabc2

  • MD5

    9e7322df010fcaf39555b79849014ff2

  • SHA1

    aa5f2d73b5dd6c0e6207b5cbb1b5d8dadff31008

  • SHA256

    792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f

  • SHA512

    97455f588328c467523c676449716e480e8638015bab280d194104da44a563d528645f7175b0a3f81d9c4cb62d7560893b143a70361a5ef3418e9bcd2e17f9a5

Score
10/10
colibribuild1loadersuricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.bin

    • Size

      425KB

    • MD5

      9e7322df010fcaf39555b79849014ff2

    • SHA1

      aa5f2d73b5dd6c0e6207b5cbb1b5d8dadff31008

    • SHA256

      792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f

    • SHA512

      97455f588328c467523c676449716e480e8638015bab280d194104da44a563d528645f7175b0a3f81d9c4cb62d7560893b143a70361a5ef3418e9bcd2e17f9a5

    Score
    10/10
    colibribuild1loadersuricata

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks