colibri | 0497063674da72a2e9db4eb046e5336b620fea9e5a595a6ed6f3e4d99270fb0d

General

Target

0497063674da72a2e9db4eb046e5336b620fea9e5a595a6ed6f3e4d99270fb0d
Size

403KB
Sample

220704-x63b9schc6
MD5

fc0c618ddea6e0917fb59f06a9c51446
SHA1

cee03e6f2ff15110fafda6a7ddf614347dae5d9f
SHA256

0497063674da72a2e9db4eb046e5336b620fea9e5a595a6ed6f3e4d99270fb0d
SHA512

35d6ff2f4e80150fc9becc2f81121d31875f9c663aeaa6784801c8b7ee185e755689ddcde27784d97a9507ce66b44908244c3b0f563b546088e3dc555bf5e338

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

raccoon

Botnet

4bdabb0995ee4b48db30078de2c5c206

C2

http://45.159.251.144/

rc4.plain

Extracted

Family

redline

C2

193.233.193.49:11906

Attributes

auth_value
ad5cd49e075db8527ecb265d0bf18710

Targets

- Target
  
  0497063674da72a2e9db4eb046e5336b620fea9e5a595a6ed6f3e4d99270fb0d
- Size
  
  403KB
- MD5
  
  fc0c618ddea6e0917fb59f06a9c51446
- SHA1
  
  cee03e6f2ff15110fafda6a7ddf614347dae5d9f
- SHA256
  
  0497063674da72a2e9db4eb046e5336b620fea9e5a595a6ed6f3e4d99270fb0d
- SHA512
  
  35d6ff2f4e80150fc9becc2f81121d31875f9c663aeaa6784801c8b7ee185e755689ddcde27784d97a9507ce66b44908244c3b0f563b546088e3dc555bf5e338
Score

10^/10

colibri raccoon redline 4bdabb0995ee4b48db30078de2c5c206 build1 infostealer loader persistence pyinstaller spyware stealer suricata upx
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata: ET MALWARE Generic gate .php GET with minimal headers
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity
  suricata: ET MALWARE Win32/Colibri Loader Activity
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity M2
  suricata: ET MALWARE Win32/Colibri Loader Activity M2
  suricata
- suricata: ET MALWARE Win32/Colibri Loader Activity M3
  suricata: ET MALWARE Win32/Colibri Loader Activity M3
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1