General
-
Target
file.exe
-
Size
602KB
-
Sample
220901-3cjkyscfgr
-
MD5
1db9ce2cf416557e3c4815b62e43b31d
-
SHA1
2afc08f044a15a8812e8181cbe37cf9a39cc8243
-
SHA256
0f3b262010f9d12dd37b18903be4c3a5de0f20b2e4841efde7d2250bdf660bc5
-
SHA512
d1ec32569fa80081872960f55d8a029a31bb0eca8fbadc39a5fcfe0f8eb0f296ab52111f024dae29c18b83ab6d4015da864d1944e4d9fdf633d1a0de0c12ae7d
-
SSDEEP
6144:vY+BkUWnbcgwe8O8FeCxJedUBe1kTEd9:vDkLnbc3e8O2Bxkkwd9
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
file.exe
-
Size
602KB
-
MD5
1db9ce2cf416557e3c4815b62e43b31d
-
SHA1
2afc08f044a15a8812e8181cbe37cf9a39cc8243
-
SHA256
0f3b262010f9d12dd37b18903be4c3a5de0f20b2e4841efde7d2250bdf660bc5
-
SHA512
d1ec32569fa80081872960f55d8a029a31bb0eca8fbadc39a5fcfe0f8eb0f296ab52111f024dae29c18b83ab6d4015da864d1944e4d9fdf633d1a0de0c12ae7d
-
SSDEEP
6144:vY+BkUWnbcgwe8O8FeCxJedUBe1kTEd9:vDkLnbc3e8O2Bxkkwd9
-
Detectes Phoenix Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-