colibri | c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74

General

Target

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
Size

579KB
MD5

a1812daa569e712fc42759a6cf38b2f3
SHA1

b769a3eaafef5be2ba76aaf07d086a113456366a
SHA256

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74
SHA512

adb06797bad3ea9fc34649e884b6d5477b31ef2026242019052b9924d86cf39320bb0471afc0f9ec9cfceeaf5bbc0febc28b11b4fa06f25e1d0e067105b5f5ee
SSDEEP

6144:32rLzbzbZct2dTJs4vhjhxr+SGc3Wd1dsuv:3inzVctadvhjhxaSHWdIuv

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exe

pid process

2400 conhost.exe
2332 conhost.exe
4896 msedge.exe
1952 svchost.exe

pid	process
2400	conhost.exe
2332	conhost.exe
4896	msedge.exe
1952	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

1952 svchost.exe
1952 svchost.exe

pid	process
1952	svchost.exe
1952	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.execonhost.exe

description	pid	process	target process
PID 1268 set thread context of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 2400 set thread context of 2332	2400	conhost.exe	conhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.execonhost.exec3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.execmd.exemsedge.exe

description	pid	process	target process
PID 1268 wrote to memory of 2400	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	conhost.exe
PID 1268 wrote to memory of 2400	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	conhost.exe
PID 1268 wrote to memory of 2400	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	conhost.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 1268 wrote to memory of 1328	1268	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 2400 wrote to memory of 2332	2400	conhost.exe	conhost.exe
PID 1328 wrote to memory of 4884	1328	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	cmd.exe
PID 1328 wrote to memory of 4884	1328	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	cmd.exe
PID 1328 wrote to memory of 4884	1328	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe	cmd.exe
PID 4884 wrote to memory of 4896	4884	cmd.exe	msedge.exe
PID 4884 wrote to memory of 4896	4884	cmd.exe	msedge.exe
PID 4896 wrote to memory of 1952	4896	msedge.exe	svchost.exe
PID 4896 wrote to memory of 1952	4896	msedge.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
"C:\Users\Admin\AppData\Local\Temp\c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:2332

C:\Users\Admin\AppData\Local\Temp\c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe
"C:\Users\Admin\AppData\Local\Temp\c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/1268-133-0x000000000135B000-0x000000000136E000-memory.dmp

Filesize
76KB

Download
memory/1328-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-137-0x0000000000000000-mapping.dmp

Download
memory/1952-150-0x0000000000000000-mapping.dmp

Download
memory/2332-144-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2332-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2332-153-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2332-139-0x0000000000000000-mapping.dmp

Download
memory/2400-132-0x0000000000000000-mapping.dmp

Download
memory/2400-136-0x0000000000FE0000-0x0000000000FE3000-memory.dmp

Filesize
12KB

Download
memory/4884-146-0x0000000000000000-mapping.dmp

Download
memory/4896-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads