colibri | 0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd | Triage

Submit
Reports

Overview

overview

Static

static

GrandTheft...at.exe

windows7-x64

GrandTheft...at.exe

windows10-2004-x64

Sharing

General

Target

GrandTheftAutoVcheat.exe
Size

421KB
Sample

220811-thcj6ahchm
MD5

58fc3bb157e30334818c6f8a184ed14a
SHA1

e89d26ebdd8585840094db45d60968455bcfd822
SHA256

0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd
SHA512

91a4cfe6cbab2db859eec1c0e24da16c77d88d17d9355ada82ab4728cd7b522387c864a6c379313f75f1334d4e78322cc7808d25703f3c72bcc74e56438ad895

Score

10^/10

colibri redline @foruman build1 discovery infostealer loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

GrandTheftAutoVcheat.exe

Resource

win7-20220718-en

redline @foruman discovery infostealer spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

GrandTheftAutoVcheat.exe

Resource

win10v2004-20220722-en

colibri build1 discovery loader spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@foruman

C2

185.106.92.226:40788

Attributes

auth_value
bd15c39173a26033961a0c806b2b4684

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  GrandTheftAutoVcheat.exe
- Size
  
  421KB
- MD5
  
  58fc3bb157e30334818c6f8a184ed14a
- SHA1
  
  e89d26ebdd8585840094db45d60968455bcfd822
- SHA256
  
  0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd
- SHA512
  
  91a4cfe6cbab2db859eec1c0e24da16c77d88d17d9355ada82ab4728cd7b522387c864a6c379313f75f1334d4e78322cc7808d25703f3c72bcc74e56438ad895
Score

10^/10

redline @foruman discovery infostealer spyware stealer colibri build1 loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redline@forumandiscoveryinfostealerspywarestealer

behavioral2

colibribuild1discoveryloaderspywarestealer

© 2018-2024

Terms | Privacy