Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

cb940cf74606d64260e36e8ef1e4f585.exe
Size

602KB
Sample

220903-m59d3sdhan
MD5

cb940cf74606d64260e36e8ef1e4f585
SHA1

0c77a9b9c592ee4d9e2757e5774d6621a77b0c0d
SHA256

adbee90a8f97d2afdc7829c01bc78af630b7f567270bcc5a5ff56e0469033b9f
SHA512

7701f4295101d197dc7b6529d0d772596a93ee2a1d4e063bc3793856114e13cf0ea30c8527739e88e6b4de2f4891b7e2a4f4e3ee8cec5003290100abac33cfbf
SSDEEP

12288:FThQ8oNPBa/AqpCeBXTy1t2r4BRnExdaqA:I8oNQXpCCB

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  cb940cf74606d64260e36e8ef1e4f585.exe
- Size
  
  602KB
- MD5
  
  cb940cf74606d64260e36e8ef1e4f585
- SHA1
  
  0c77a9b9c592ee4d9e2757e5774d6621a77b0c0d
- SHA256
  
  adbee90a8f97d2afdc7829c01bc78af630b7f567270bcc5a5ff56e0469033b9f
- SHA512
  
  7701f4295101d197dc7b6529d0d772596a93ee2a1d4e063bc3793856114e13cf0ea30c8527739e88e6b4de2f4891b7e2a4f4e3ee8cec5003290100abac33cfbf
- SSDEEP
  
  12288:FThQ8oNPBa/AqpCeBXTy1t2r4BRnExdaqA:I8oNQXpCCB
Score

10^/10

colibri build1 loader miner persistence
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

static1

behavioral1

behavioral2

colibribuild1loaderminerpersistence