General
-
Target
c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444
-
Size
403KB
-
Sample
220704-kd8blaffgk
-
MD5
b632a2ff24dcd66cc1afda79141ef2bd
-
SHA1
aaa67ac3f1c079fc81c420cda317f5ceb341829e
-
SHA256
c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444
-
SHA512
c6033ae535289662313aa8067b7cdba7ac99ade925d8407b01e3c33ce6a4b0429af753b9c56405e5494f80cf85611c0f2319324a14a2d23508c92d846dea4933
Static task
static1
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444
-
Size
403KB
-
MD5
b632a2ff24dcd66cc1afda79141ef2bd
-
SHA1
aaa67ac3f1c079fc81c420cda317f5ceb341829e
-
SHA256
c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444
-
SHA512
c6033ae535289662313aa8067b7cdba7ac99ade925d8407b01e3c33ce6a4b0429af753b9c56405e5494f80cf85611c0f2319324a14a2d23508c92d846dea4933
-
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
-
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
-
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-