colibri | 02de0efcbdd742b4f443114e6952226b2114f54e463c8aaa9b7e65459eefd739

General

Target

02de0efcbdd742b4f443114e6952226b2114f54e463c8aaa9b7e65459eefd739
Size

403KB
Sample

220704-spm4sscab2
MD5

3c282b21b232443eba0b465af7a8a304
SHA1

2b3012029a6fc35ece49ed198d50d29249dd24ad
SHA256

02de0efcbdd742b4f443114e6952226b2114f54e463c8aaa9b7e65459eefd739
SHA512

9484c17fe7c16346e6abdb685681d954ad50a8400925498aa3e3b4f17d36a9417ed6af9fdab79a047af5a9f606e6cc291513fb925fcc10a2b5e816caa63540d3

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

raccoon

Botnet

4bdabb0995ee4b48db30078de2c5c206

C2

http://45.159.251.144/

rc4.plain

Extracted

Family

redline

C2

193.233.193.49:11906

Attributes

auth_value
ad5cd49e075db8527ecb265d0bf18710

Targets

- Target
  
  02de0efcbdd742b4f443114e6952226b2114f54e463c8aaa9b7e65459eefd739
- Size
  
  403KB
- MD5
  
  3c282b21b232443eba0b465af7a8a304
- SHA1
  
  2b3012029a6fc35ece49ed198d50d29249dd24ad
- SHA256
  
  02de0efcbdd742b4f443114e6952226b2114f54e463c8aaa9b7e65459eefd739
- SHA512
  
  9484c17fe7c16346e6abdb685681d954ad50a8400925498aa3e3b4f17d36a9417ed6af9fdab79a047af5a9f606e6cc291513fb925fcc10a2b5e816caa63540d3
Score

10^/10

colibri raccoon redline 4bdabb0995ee4b48db30078de2c5c206 build1 infostealer loader pyinstaller spyware stealer suricata upx
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity
  suricata: ET MALWARE Win32/Colibri Loader Activity
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity M2
  suricata: ET MALWARE Win32/Colibri Loader Activity M2
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity M3
  suricata: ET MALWARE Win32/Colibri Loader Activity M3
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1