Overview

overview

10

Static

static

b2e3670b7a...de.exe

windows7_x64

1

b2e3670b7a...de.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b2e3670b7a2ab39f8e1041e16f9625577eaca98c78885475e7980bf035b493de

  • Size

    142KB

  • Sample

    220711-lne88sfhgr

  • MD5

    3e85958b31c8c7169b58b39287a79e1e

  • SHA1

    e9d5d1b642177ef5029b30d01b613f622c45024f

  • SHA256

    1ce3f07ac872167d42f329d624182d395020bec54a3d81306f6865d5d35d2729

  • SHA512

    93c3d9a8a2da1c3ac402022a748913f395f4d27d2c008402a6f3f64a314d3b704356c4d478a8523e0c753b002935ae92e969a81f4d29e4f16f915f4611e05bb0

Score
10/10
colibriredline@mahouny23build1infostealerloaderpersistencepyinstallersuricataupx

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

redline

Botnet

@mahouny23

C2

194.36.177.26:16686

Attributes
  • auth_value

    1e6a07738976b205f98e69f03924461d

Targets

    • Target

      b2e3670b7a2ab39f8e1041e16f9625577eaca98c78885475e7980bf035b493de

    • Size

      213KB

    • MD5

      3299d71662eeafeb7edd52684d2cd389

    • SHA1

      2087919eb78e7523f6aacbed32dd3a3b2bd72e73

    • SHA256

      b2e3670b7a2ab39f8e1041e16f9625577eaca98c78885475e7980bf035b493de

    • SHA512

      3e527ce723d8e1248d835a3eb88d6c6bf2c887cb54eac2de9a0536450b289e3d405b05330854f7207f7eeb345a09d5cebda972ff2538ed5e7dcc5e2f5b81a8f6

    Score
    10/10
    colibriredline@mahouny23build1infostealerloaderpersistencepyinstallersuricataupx

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)

      suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)

      suricata

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata: ET MALWARE Win32/Colibri Loader Activity

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks