Analysis
-
max time kernel
12s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
tmpCF8A.tmp.exe
Resource
win7-20220718-en
windows7-x64
2 signatures
150 seconds
General
-
Target
tmpCF8A.tmp.exe
-
Size
52KB
-
MD5
d8e1495b46cded57eb1423b8bb789834
-
SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc
-
SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
-
SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
Malware Config
Extracted
Family
colibri
Version
1.2.0
Botnet
Build1
C2
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmpCF8A.tmp.exedescription pid process target process PID 1216 set thread context of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
tmpCF8A.tmp.exedescription pid process target process PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe PID 1216 wrote to memory of 2868 1216 tmpCF8A.tmp.exe tmpCF8A.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCF8A.tmp.exe"2⤵