colibri | 1c986afb6b41d43bbc3d526dad0629c3903aed6f88e0d4a86014748617dfab5a | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

602KB
Sample

220902-g8wz9sbha9
MD5

6590c006da1047ab975529d3ed46619a
SHA1

397d8c152fbf0b746aeb7e69141c662297aa9379
SHA256

1c986afb6b41d43bbc3d526dad0629c3903aed6f88e0d4a86014748617dfab5a
SHA512

c9fee15fd842ca4614aea06c48ee51d143b9e4f187c16533762d4cd831910d38e163aaa0c639d72fbb4a3e57d81de31fb58db40c63546cf3a4d609d17bf8ca0f
SSDEEP

6144:KLuAvRbXvC79gVoA550CbeoLFroWiYfQ82bAGpMTO0I6:KLuAv9vo9gVoA57TLiEhGgO8

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220901-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20220901-en

colibri build1 discovery loader miner persistence spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  file.exe
- Size
  
  602KB
- MD5
  
  6590c006da1047ab975529d3ed46619a
- SHA1
  
  397d8c152fbf0b746aeb7e69141c662297aa9379
- SHA256
  
  1c986afb6b41d43bbc3d526dad0629c3903aed6f88e0d4a86014748617dfab5a
- SHA512
  
  c9fee15fd842ca4614aea06c48ee51d143b9e4f187c16533762d4cd831910d38e163aaa0c639d72fbb4a3e57d81de31fb58db40c63546cf3a4d609d17bf8ca0f
- SSDEEP
  
  6144:KLuAvRbXvC79gVoA550CbeoLFroWiYfQ82bAGpMTO0I6:KLuAv9vo9gVoA57TLiEhGgO8
Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

colibribuild1discoveryloaderminerpersistencespywarestealer

© 2018-2024

Terms | Privacy