Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444

  • Size

    403KB

  • Sample

    220704-kd8blaffgk

  • MD5

    b632a2ff24dcd66cc1afda79141ef2bd

  • SHA1

    aaa67ac3f1c079fc81c420cda317f5ceb341829e

  • SHA256

    c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444

  • SHA512

    c6033ae535289662313aa8067b7cdba7ac99ade925d8407b01e3c33ce6a4b0429af753b9c56405e5494f80cf85611c0f2319324a14a2d23508c92d846dea4933

Score
10/10
colibribuild1loaderpyinstallersuricataupx

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444

    • Size

      403KB

    • MD5

      b632a2ff24dcd66cc1afda79141ef2bd

    • SHA1

      aaa67ac3f1c079fc81c420cda317f5ceb341829e

    • SHA256

      c0547a90e3e92980063148483a4328fb4468772dceb991bb736f9415d700f444

    • SHA512

      c6033ae535289662313aa8067b7cdba7ac99ade925d8407b01e3c33ce6a4b0429af753b9c56405e5494f80cf85611c0f2319324a14a2d23508c92d846dea4933

    Score
    10/10
    colibribuild1loaderpyinstallersuricataupx

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks