colibri | a5f5bbe8fe2353733e90cd91c04a5c3ac111881daa1f5a9372728821f320845c | Triage

Submit
Reports

Overview

overview

Static

static

8610040371...b7.exe

windows7-x64

8610040371...b7.exe

windows10-2004-x64

Sharing

General

Target

7746816161.zip
Size

714KB
Sample

220725-m779sshde8
MD5

54355987deaceb73bed99f1122fc582f
SHA1

a292b1323549a8a65ab0ee0cc71bf4db698828ad
SHA256

a5f5bbe8fe2353733e90cd91c04a5c3ac111881daa1f5a9372728821f320845c
SHA512

893f47d76b4c7db03c4d9bc7092ff50322376dfe9178567efe44115c68531c48af7db10528330a7a271167778a1021a82a641c9c98ac4bbd16bd2046ed76b846

Score

10^/10

colibri redline @ternetyfpl build1 infostealer loader spyware

Static task

static1

Behavioral task

behavioral1

Sample

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe

Resource

win7-20220715-en

redline @ternetyfpl infostealer spyware

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe

Resource

win10v2004-20220721-en

colibri redline @ternetyfpl build1 infostealer loader spyware

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@ternetyFPL

C2

62.204.41.144:14096

Attributes

auth_value
449f565b5fc3449e1b02eaa2fe5a56dd

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7
- Size
  
  2.5MB
- MD5
  
  d5646c90a8af09a6e669a8e471005bbd
- SHA1
  
  526b70c4b3762c8983e8bb19b57ada1f75c52b19
- SHA256
  
  86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7
- SHA512
  
  4d948f4923877f29fe64991c90ea3a6c08473bc61cb6573151039e12a52f7a70d4e721c3888985df6d90cdeeb093cc36074d68597448d00e37f9f011af07645e
Score

10^/10

redline @ternetyfpl infostealer spyware colibri build1 loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redline@ternetyfplinfostealerspyware

behavioral2

colibriredline@ternetyfplbuild1infostealerloaderspyware

© 2018-2024

Terms | Privacy