Overview

overview

10

Static

static

ExpressVPN_setup.exe

windows7-x64

8

ExpressVPN_setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ExpressVPN_setup.exe

  • Size

    2.3MB

  • Sample

    220819-yef6dshfgm

  • MD5

    b8a48ef181d65145334e2ff0e0d3fbf6

  • SHA1

    53263570e35e8d528c4f56073dc2ba6e9a97819c

  • SHA256

    9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

  • SHA512

    fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

  • SSDEEP

    49152:SkkzqgxeGbknWS8+VIBixnz2fZUH+sfFxbQ9oOnfzerEm4WM/o:SkklMWS8+VWIzQZ8+sfDYtfzeT4WMA

Score
10/10
colibribuild1loaderupx

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      ExpressVPN_setup.exe

    • Size

      2.3MB

    • MD5

      b8a48ef181d65145334e2ff0e0d3fbf6

    • SHA1

      53263570e35e8d528c4f56073dc2ba6e9a97819c

    • SHA256

      9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

    • SHA512

      fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

    • SSDEEP

      49152:SkkzqgxeGbknWS8+VIBixnz2fZUH+sfFxbQ9oOnfzerEm4WM/o:SkklMWS8+VWIzQZ8+sfDYtfzeT4WMA

    Score
    10/10
    upxcolibribuild1loader

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks