Overview

overview

10

Static

static

ebd5e6832c...ae.exe

windows7_x64

1

ebd5e6832c...ae.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.zip

  • Size

    63KB

  • Sample

    220706-w5rnpsfghm

  • MD5

    2390732a45bc08a270c55e6c53fc9fe9

  • SHA1

    2859b3bc82f925cb2a668e89a614c2131d597008

  • SHA256

    7513d19dab3fc25a8276ec33132b9114856e01c67c90dbd0318c7aa6dc2b3561

  • SHA512

    8fe0b188cb95819cfcc7905e93a75a66da87d289ab0a19e28e1d98092b07a1618b7858d907f20eac84c116cb47c1765e7e48baf57ab4d91fbe02e27cc33ed65b

Score
10/10
colibribuild1loaderpersistencesuricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae

    • Size

      124KB

    • MD5

      5a8bc676cf03b77f3d81a2907119d4d5

    • SHA1

      2114152d909c30d68af23c8526df2599c94d87cc

    • SHA256

      ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae

    • SHA512

      ee500b493c0062e69b2fa9d90ed0e5e64049aecddd37fdec19f36e6d5d8562dd6f5f2d5c32216061da640e09bf943a9f1c94777869dc7db260276becbed711db

    Score
    10/10
    colibribuild1loaderpersistencesuricata

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata: ET MALWARE Win32/Colibri Loader Activity M2

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata: ET MALWARE Win32/Colibri Loader Activity M3

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks