colibri | 25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82
Size

718KB
Sample

220819-tsxm3sffek
MD5

247455c8833c8a11511b4437ba149778
SHA1

6831589bc510408b5d80a775f55fe1c9463f9e8e
SHA256

25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82
SHA512

30e65f8b67a07f1dcc43bee23d8c54bcaccf2398f09949c0f4e97e67028cbacabb77fe6c18bac4ade7f4e61b09ab484bd654cf7dfdfbf3aedc8723fb236ee814
SSDEEP

6144:aT919/uixhUYgbHxex1nZ+yDzfsZg+7qBkOAKarUbpwJmLbOyqA4N:aT75tUN7CnZJDzfsZd7qBkOAKqUlBMpN

Score

10^/10

colibri build1 discovery loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82.exe

Resource

win10v2004-20220812-en

colibri build1 discovery loader spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82
- Size
  
  718KB
- MD5
  
  247455c8833c8a11511b4437ba149778
- SHA1
  
  6831589bc510408b5d80a775f55fe1c9463f9e8e
- SHA256
  
  25af995a82a695829d5e73eb82d0ab9ccccae43fafd076b45625ab81d3c3bc82
- SHA512
  
  30e65f8b67a07f1dcc43bee23d8c54bcaccf2398f09949c0f4e97e67028cbacabb77fe6c18bac4ade7f4e61b09ab484bd654cf7dfdfbf3aedc8723fb236ee814
- SSDEEP
  
  6144:aT919/uixhUYgbHxex1nZ+yDzfsZg+7qBkOAKarUbpwJmLbOyqA4N:aT75tUN7CnZJDzfsZd7qBkOAKqUlBMpN
Score

10^/10

colibri build1 discovery loader spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

colibribuild1discoveryloaderspywarestealer

© 2018-2024

Terms | Privacy