colibri | 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1

General

Target

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe
Size

487KB
MD5

8dff0d3f99d12d37b665c9d8a8316a19
SHA1

f0bdaf7f749656907bb0861c715c1a818d78fd41
SHA256

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1
SHA512

6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464
SSDEEP

12288:nl2OK20PQTcTMa08IndWaWU/6aoZvf3hSFmu4zApqDB:lI2ouWf8dJx1oOFmpAgDB

Score

10^/10

colibri build1 discovery loader spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 2 IoCs

Processes:

tmp9455.tmp.exetmp9455.tmp.exe

pid process

4728 tmp9455.tmp.exe
4488 tmp9455.tmp.exe

pid	process
4728	tmp9455.tmp.exe
4488	tmp9455.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp9455.tmp.exe

description pid process target process

PID 4728 set thread context of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4728 set thread context of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

pid	process
1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe
1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

description pid process

Token: SeDebugPrivilege 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

description	pid	process
Token: SeDebugPrivilege	1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exetmp9455.tmp.exe

description	pid	process	target process
PID 1656 wrote to memory of 4728	1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe	tmp9455.tmp.exe
PID 1656 wrote to memory of 4728	1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe	tmp9455.tmp.exe
PID 1656 wrote to memory of 4728	1656	34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe
PID 4728 wrote to memory of 4488	4728	tmp9455.tmp.exe	tmp9455.tmp.exe

C:\Users\Admin\AppData\Local\Temp\34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe
"C:\Users\Admin\AppData\Local\Temp\34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"
3⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1656-135-0x000000001AC40000-0x000000001AC7C000-memory.dmp

Filesize
240KB

Download
memory/1656-136-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1656-149-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

Filesize
10.8MB

Download
memory/1656-145-0x000000001E640000-0x000000001E802000-memory.dmp

Filesize
1.8MB

Download
memory/1656-134-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/1656-148-0x000000001E5F0000-0x000000001E60E000-memory.dmp

Filesize
120KB

Download
memory/1656-147-0x000000001E890000-0x000000001E906000-memory.dmp

Filesize
472KB

Download
memory/1656-146-0x000000001ED40000-0x000000001F268000-memory.dmp

Filesize
5.2MB

Download
memory/1656-133-0x000000001D460000-0x000000001D56A000-memory.dmp

Filesize
1.0MB

Download
memory/1656-132-0x0000000000100000-0x000000000017E000-memory.dmp

Filesize
504KB

Download
memory/4488-144-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4488-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4488-141-0x0000000000000000-mapping.dmp

Download
memory/4728-140-0x000000000163B000-0x0000000001641000-memory.dmp

Filesize
24KB

Download
memory/4728-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads