colibri | 792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f

General

Target

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe
Size

425KB
MD5

9e7322df010fcaf39555b79849014ff2
SHA1

aa5f2d73b5dd6c0e6207b5cbb1b5d8dadff31008
SHA256

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f
SHA512

97455f588328c467523c676449716e480e8638015bab280d194104da44a563d528645f7175b0a3f81d9c4cb62d7560893b143a70361a5ef3418e9bcd2e17f9a5

Score

10^/10

colibri build1 loader suricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata
Executes dropped EXE 2 IoCs

Processes:

tmp1DED.tmp.exedllhost.exe

pid process

1268 tmp1DED.tmp.exe
1612 dllhost.exe
Loads dropped DLL 1 IoCs

Processes:

tmp1DED.tmp.exe

pid process

1268 tmp1DED.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

988 schtasks.exe

pid	process
1268	tmp1DED.tmp.exe
1612	dllhost.exe

pid	process
1268	tmp1DED.tmp.exe

pid	process
988	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exetmp1DED.tmp.exe

description	pid	process	target process
PID 1836 wrote to memory of 1268	1836	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmp1DED.tmp.exe
PID 1836 wrote to memory of 1268	1836	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmp1DED.tmp.exe
PID 1836 wrote to memory of 1268	1836	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmp1DED.tmp.exe
PID 1836 wrote to memory of 1268	1836	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmp1DED.tmp.exe
PID 1268 wrote to memory of 988	1268	tmp1DED.tmp.exe	schtasks.exe
PID 1268 wrote to memory of 988	1268	tmp1DED.tmp.exe	schtasks.exe
PID 1268 wrote to memory of 988	1268	tmp1DED.tmp.exe	schtasks.exe
PID 1268 wrote to memory of 988	1268	tmp1DED.tmp.exe	schtasks.exe
PID 1268 wrote to memory of 1612	1268	tmp1DED.tmp.exe	dllhost.exe
PID 1268 wrote to memory of 1612	1268	tmp1DED.tmp.exe	dllhost.exe
PID 1268 wrote to memory of 1612	1268	tmp1DED.tmp.exe	dllhost.exe
PID 1268 wrote to memory of 1612	1268	tmp1DED.tmp.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe
"C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\schtasks.exe
    /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:988
- - C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe
    "C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
\Users\Admin\Documents\WindowsPowerShell\dllhost.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
memory/988-60-0x0000000000000000-mapping.dmp

Download
memory/1268-58-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1268-56-0x0000000000000000-mapping.dmp

Download
memory/1268-63-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/1612-62-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000000850000-0x00000000008BE000-memory.dmp

Filesize
440KB

Download
memory/1836-55-0x0000000000420000-0x000000000045E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads