colibri | aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8 | Triage

Analysis

max time kernel
12s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 13:35

Sharing

Report Analysis Logs

General

Target

tmpCF8A.tmp.exe
Size

52KB
MD5

d8e1495b46cded57eb1423b8bb789834
SHA1

db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256

aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA512

8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Score

10^/10

colibri build1 loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmpCF8A.tmp.exe

description pid process target process

PID 1216 set thread context of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

tmpCF8A.tmp.exe

description	pid	process	target process
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe
PID 1216 wrote to memory of 2868	1216	tmpCF8A.tmp.exe	tmpCF8A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"
2⤵
PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-130-0x0000000000000000-mapping.dmp

Download
memory/2868-131-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2868-132-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download