colibri | 1c097578d9587bd8a233bd383ec71123b03c75b582dcc7e8f5c085e05d32cd3d

General

Target

0f825e504d181de431550ae732e1bc49.exe
Size

399KB
MD5

0f825e504d181de431550ae732e1bc49
SHA1

829eee9072fec9a8cd750add714b3fde39c4034b
SHA256

1c097578d9587bd8a233bd383ec71123b03c75b582dcc7e8f5c085e05d32cd3d
SHA512

f516b5a6987fcc36bdec18590a2cb8d563afe0bdf20ad641a72a98eb21051a7e62d698000606807dbcd335f1edf0843a0885444bb891068d360bc5ce44cd5ca3

Score

10^/10

colibri build1 discovery loader spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 6 IoCs

Processes:

tmp75A2.tmp.exetmp75A2.tmp.exeGet-Variable.exeGet-Variable.exeGet-Variable.exeGet-Variable.exe

pid process

4912 tmp75A2.tmp.exe
5028 tmp75A2.tmp.exe
4864 Get-Variable.exe
1828 Get-Variable.exe
3000 Get-Variable.exe
4728 Get-Variable.exe

pid	process
4912	tmp75A2.tmp.exe
5028	tmp75A2.tmp.exe
4864	Get-Variable.exe
1828	Get-Variable.exe
3000	Get-Variable.exe
4728	Get-Variable.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f825e504d181de431550ae732e1bc49.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	0f825e504d181de431550ae732e1bc49.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp75A2.tmp.exeGet-Variable.exeGet-Variable.exe

description	pid	process	target process
PID 4912 set thread context of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4864 set thread context of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 3000 set thread context of 4728	3000	Get-Variable.exe	Get-Variable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5012 schtasks.exe

pid	process
5012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f825e504d181de431550ae732e1bc49.exe

pid	process
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe
3380	0f825e504d181de431550ae732e1bc49.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f825e504d181de431550ae732e1bc49.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3380 0f825e504d181de431550ae732e1bc49.exe
Token: SeDebugPrivilege 4324 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3380	0f825e504d181de431550ae732e1bc49.exe
Token: SeDebugPrivilege	4324	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

0f825e504d181de431550ae732e1bc49.exetmp75A2.tmp.exetmp75A2.tmp.exeGet-Variable.exepowershell.exeGet-Variable.exe

description	pid	process	target process
PID 3380 wrote to memory of 4912	3380	0f825e504d181de431550ae732e1bc49.exe	tmp75A2.tmp.exe
PID 3380 wrote to memory of 4912	3380	0f825e504d181de431550ae732e1bc49.exe	tmp75A2.tmp.exe
PID 3380 wrote to memory of 4912	3380	0f825e504d181de431550ae732e1bc49.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 4912 wrote to memory of 5028	4912	tmp75A2.tmp.exe	tmp75A2.tmp.exe
PID 5028 wrote to memory of 5012	5028	tmp75A2.tmp.exe	schtasks.exe
PID 5028 wrote to memory of 5012	5028	tmp75A2.tmp.exe	schtasks.exe
PID 5028 wrote to memory of 5012	5028	tmp75A2.tmp.exe	schtasks.exe
PID 5028 wrote to memory of 4864	5028	tmp75A2.tmp.exe	Get-Variable.exe
PID 5028 wrote to memory of 4864	5028	tmp75A2.tmp.exe	Get-Variable.exe
PID 5028 wrote to memory of 4864	5028	tmp75A2.tmp.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4864 wrote to memory of 1828	4864	Get-Variable.exe	Get-Variable.exe
PID 4324 wrote to memory of 3000	4324	powershell.exe	Get-Variable.exe
PID 4324 wrote to memory of 3000	4324	powershell.exe	Get-Variable.exe
PID 4324 wrote to memory of 3000	4324	powershell.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe
PID 3000 wrote to memory of 4728	3000	Get-Variable.exe	Get-Variable.exe

C:\Users\Admin\AppData\Local\Temp\0f825e504d181de431550ae732e1bc49.exe
"C:\Users\Admin\AppData\Local\Temp\0f825e504d181de431550ae732e1bc49.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
4⤵
- Creates scheduled task(s)
PID:5012

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
5⤵
- Executes dropped EXE
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
3⤵
- Executes dropped EXE
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75A2.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
memory/1828-148-0x0000000000000000-mapping.dmp

Download
memory/3000-157-0x0000000000000000-mapping.dmp

Download
memory/3000-159-0x0000000000B23000-0x0000000000B29000-memory.dmp

Filesize
24KB

Download
memory/3380-139-0x000000001F2A0000-0x000000001F3AA000-memory.dmp

Filesize
1.0MB

Download
memory/3380-143-0x00007FFBB0810000-0x00007FFBB12D1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-154-0x000000001F160000-0x000000001F1B0000-memory.dmp

Filesize
320KB

Download
memory/3380-141-0x000000001F220000-0x000000001F25C000-memory.dmp

Filesize
240KB

Download
memory/3380-130-0x0000000000EF0000-0x0000000000F56000-memory.dmp

Filesize
408KB

Download
memory/3380-140-0x000000001F1C0000-0x000000001F1D2000-memory.dmp

Filesize
72KB

Download
memory/3380-166-0x00007FFBB0810000-0x00007FFBB12D1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-131-0x00007FFBB0810000-0x00007FFBB12D1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-165-0x0000000020740000-0x0000000020C68000-memory.dmp

Filesize
5.2MB

Download
memory/3380-164-0x0000000020040000-0x0000000020202000-memory.dmp

Filesize
1.8MB

Download
memory/3380-152-0x000000001CC00000-0x000000001CC76000-memory.dmp

Filesize
472KB

Download
memory/3380-153-0x000000001CBA0000-0x000000001CBBE000-memory.dmp

Filesize
120KB

Download
memory/4324-155-0x000001A73F210000-0x000001A73F232000-memory.dmp

Filesize
136KB

Download
memory/4324-163-0x00007FFBB0810000-0x00007FFBB12D1000-memory.dmp

Filesize
10.8MB

Download
memory/4324-156-0x000001A7401B0000-0x000001A7401F4000-memory.dmp

Filesize
272KB

Download
memory/4324-167-0x00007FFBB0810000-0x00007FFBB12D1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-160-0x0000000000000000-mapping.dmp

Download
memory/4864-145-0x0000000000000000-mapping.dmp

Download
memory/4912-132-0x0000000000000000-mapping.dmp

Download
memory/4912-135-0x00000000004C2000-0x00000000004C8000-memory.dmp

Filesize
24KB

Download
memory/5012-144-0x0000000000000000-mapping.dmp

Download
memory/5028-136-0x0000000000000000-mapping.dmp

Download
memory/5028-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5028-151-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5028-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads