General
-
Target
5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
-
Size
602KB
-
Sample
220903-d8y8vabda4
-
MD5
9c512797b50b536a82baf18fc9fb3077
-
SHA1
bd9fc65cb2d62474e510c74e93e8475096661e8c
-
SHA256
5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
-
SHA512
e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53
-
SSDEEP
6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS
Static task
static1
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
-
Size
602KB
-
MD5
9c512797b50b536a82baf18fc9fb3077
-
SHA1
bd9fc65cb2d62474e510c74e93e8475096661e8c
-
SHA256
5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
-
SHA512
e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53
-
SSDEEP
6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS
-
Detectes Phoenix Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-