colibri | c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74 | Triage

Sharing

General

Target

file.exe
Size

579KB
Sample

220829-2ssywshcd9
MD5

a1812daa569e712fc42759a6cf38b2f3
SHA1

b769a3eaafef5be2ba76aaf07d086a113456366a
SHA256

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74
SHA512

adb06797bad3ea9fc34649e884b6d5477b31ef2026242019052b9924d86cf39320bb0471afc0f9ec9cfceeaf5bbc0febc28b11b4fa06f25e1d0e067105b5f5ee
SSDEEP

6144:32rLzbzbZct2dTJs4vhjhxr+SGc3Wd1dsuv:3inzVctadvhjhxaSHWdIuv

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  file.exe
- Size
  
  579KB
- MD5
  
  a1812daa569e712fc42759a6cf38b2f3
- SHA1
  
  b769a3eaafef5be2ba76aaf07d086a113456366a
- SHA256
  
  c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74
- SHA512
  
  adb06797bad3ea9fc34649e884b6d5477b31ef2026242019052b9924d86cf39320bb0471afc0f9ec9cfceeaf5bbc0febc28b11b4fa06f25e1d0e067105b5f5ee
- SSDEEP
  
  6144:32rLzbzbZct2dTJs4vhjhxr+SGc3Wd1dsuv:3inzVctadvhjhxaSHWdIuv
Score

10^/10

colibri build1 loader miner persistence
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

colibribuild1loaderminerpersistence