colibri | 64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591
Size

488KB
Sample

220902-jzbzvaafdk
MD5

244e61ee14cec7a93b0fd8725262006a
SHA1

9a06bece5a282a4fa811d16cd72e52bd7e5c2668
SHA256

64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591
SHA512

228b8b069eb3c5beb65f8dcff1d991775be40d35eacaf9c2806ef99838e62885281a50d1d2c655ab6f817480815b0047f0947f55f63451f424ab07ff3056a656
SSDEEP

6144:qPCP7NBVlFsy++2AR754hZMOuMrfNMfX8kAMrUt2ar2YMNTaOpMREYkFLgk0/mqY:ZPpBg+irhNMfYiUmYMVaRqglY

Score

10^/10

colibri build1 discovery loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591.exe

Resource

win10v2004-20220812-en

colibri build1 discovery loader spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591
- Size
  
  488KB
- MD5
  
  244e61ee14cec7a93b0fd8725262006a
- SHA1
  
  9a06bece5a282a4fa811d16cd72e52bd7e5c2668
- SHA256
  
  64745f1d874d9a0e32a936ac3fbe80a988442d3fbf400946f18c4f4880b3f591
- SHA512
  
  228b8b069eb3c5beb65f8dcff1d991775be40d35eacaf9c2806ef99838e62885281a50d1d2c655ab6f817480815b0047f0947f55f63451f424ab07ff3056a656
- SSDEEP
  
  6144:qPCP7NBVlFsy++2AR754hZMOuMrfNMfX8kAMrUt2ar2YMNTaOpMREYkFLgk0/mqY:ZPpBg+irhNMfYiUmYMVaRqglY
Score

10^/10

colibri build1 discovery loader spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

colibribuild1discoveryloaderspywarestealer

© 2018-2024

Terms | Privacy