colibri | 1b985ca2f29c8079d6fe60804a838989582e11724e7b1ab75f393f01b941806d

General

Target

d952bdc073ff3deb4bcc3cb96cbacd01.exe
Size

708KB
MD5

d952bdc073ff3deb4bcc3cb96cbacd01
SHA1

6d283b4acf37dcea8d9f62cf09ddf5deb5c6c5cd
SHA256

1b985ca2f29c8079d6fe60804a838989582e11724e7b1ab75f393f01b941806d
SHA512

19781a2787e53c89d7006aba1f68047fabaf74e18d13b081df18498a677d68518a62c8c41d21770999ef770a89ae88a7bdc0b8dcc197262b109b24160d974974

Score

10^/10

colibri build1 loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 6 IoCs

Processes:

conhost.execonhost.exeGet-Variable.exeGet-Variable.exeGet-Variable.exeGet-Variable.exe

pid process

4672 conhost.exe
5024 conhost.exe
4152 Get-Variable.exe
864 Get-Variable.exe
2540 Get-Variable.exe
596 Get-Variable.exe

pid	process
4672	conhost.exe
5024	conhost.exe
4152	Get-Variable.exe
864	Get-Variable.exe
2540	Get-Variable.exe
596	Get-Variable.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

d952bdc073ff3deb4bcc3cb96cbacd01.execonhost.exeGet-Variable.exeGet-Variable.exe

description	pid	process	target process
PID 4804 set thread context of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4672 set thread context of 5024	4672	conhost.exe	conhost.exe
PID 4152 set thread context of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 2540 set thread context of 596	2540	Get-Variable.exe	Get-Variable.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2784 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4408 powershell.exe
4408 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4408 powershell.exe

pid	process
2784	schtasks.exe

pid	process
4408	powershell.exe
4408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4408	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

d952bdc073ff3deb4bcc3cb96cbacd01.execonhost.execonhost.exeGet-Variable.exepowershell.exeGet-Variable.exe

description	pid	process	target process
PID 4804 wrote to memory of 4672	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	conhost.exe
PID 4804 wrote to memory of 4672	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	conhost.exe
PID 4804 wrote to memory of 4672	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	conhost.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4804 wrote to memory of 4728	4804	d952bdc073ff3deb4bcc3cb96cbacd01.exe	d952bdc073ff3deb4bcc3cb96cbacd01.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 4672 wrote to memory of 5024	4672	conhost.exe	conhost.exe
PID 5024 wrote to memory of 2784	5024	conhost.exe	schtasks.exe
PID 5024 wrote to memory of 2784	5024	conhost.exe	schtasks.exe
PID 5024 wrote to memory of 2784	5024	conhost.exe	schtasks.exe
PID 5024 wrote to memory of 4152	5024	conhost.exe	Get-Variable.exe
PID 5024 wrote to memory of 4152	5024	conhost.exe	Get-Variable.exe
PID 5024 wrote to memory of 4152	5024	conhost.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4152 wrote to memory of 864	4152	Get-Variable.exe	Get-Variable.exe
PID 4408 wrote to memory of 2540	4408	powershell.exe	Get-Variable.exe
PID 4408 wrote to memory of 2540	4408	powershell.exe	Get-Variable.exe
PID 4408 wrote to memory of 2540	4408	powershell.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe
PID 2540 wrote to memory of 596	2540	Get-Variable.exe	Get-Variable.exe

C:\Users\Admin\AppData\Local\Temp\d952bdc073ff3deb4bcc3cb96cbacd01.exe
"C:\Users\Admin\AppData\Local\Temp\d952bdc073ff3deb4bcc3cb96cbacd01.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4672

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
4⤵
- Creates scheduled task(s)
PID:2784

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
5⤵
- Executes dropped EXE
PID:864

C:\Users\Admin\AppData\Local\Temp\d952bdc073ff3deb4bcc3cb96cbacd01.exe
"C:\Users\Admin\AppData\Local\Temp\d952bdc073ff3deb4bcc3cb96cbacd01.exe"
2⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
3⤵
- Executes dropped EXE
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
memory/596-159-0x0000000000000000-mapping.dmp

Download
memory/864-149-0x0000000000000000-mapping.dmp

Download
memory/2540-158-0x0000000000FC3000-0x0000000000FC9000-memory.dmp

Filesize
24KB

Download
memory/2540-156-0x0000000000000000-mapping.dmp

Download
memory/2784-144-0x0000000000000000-mapping.dmp

Download
memory/4152-145-0x0000000000000000-mapping.dmp

Download
memory/4408-152-0x000001C7727B0000-0x000001C7727D2000-memory.dmp

Filesize
136KB

Download
memory/4408-162-0x00007FF936EC0000-0x00007FF937981000-memory.dmp

Filesize
10.8MB

Download
memory/4408-155-0x000001C772DB0000-0x000001C772E26000-memory.dmp

Filesize
472KB

Download
memory/4408-154-0x000001C772CE0000-0x000001C772D24000-memory.dmp

Filesize
272KB

Download
memory/4408-153-0x00007FF936EC0000-0x00007FF937981000-memory.dmp

Filesize
10.8MB

Download
memory/4672-130-0x0000000000000000-mapping.dmp

Download
memory/4728-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-139-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-140-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-143-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-134-0x0000000000000000-mapping.dmp

Download
memory/4804-131-0x000000000091B000-0x0000000000929000-memory.dmp

Filesize
56KB

Download
memory/5024-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-135-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads