colibri | adbee90a8f97d2afdc7829c01bc78af630b7f567270bcc5a5ff56e0469033b9f

General

Target

cb940cf74606d64260e36e8ef1e4f585.exe
Size

602KB
MD5

cb940cf74606d64260e36e8ef1e4f585
SHA1

0c77a9b9c592ee4d9e2757e5774d6621a77b0c0d
SHA256

adbee90a8f97d2afdc7829c01bc78af630b7f567270bcc5a5ff56e0469033b9f
SHA512

7701f4295101d197dc7b6529d0d772596a93ee2a1d4e063bc3793856114e13cf0ea30c8527739e88e6b4de2f4891b7e2a4f4e3ee8cec5003290100abac33cfbf
SSDEEP

12288:FThQ8oNPBa/AqpCeBXTy1t2r4BRnExdaqA:I8oNQXpCCB

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exe

pid process

4848 conhost.exe
4748 conhost.exe
4328 msedge.exe
3976 svchost.exe

pid	process
4848	conhost.exe
4748	conhost.exe
4328	msedge.exe
3976	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cb940cf74606d64260e36e8ef1e4f585.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	cb940cf74606d64260e36e8ef1e4f585.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	cb940cf74606d64260e36e8ef1e4f585.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

3976 svchost.exe
3976 svchost.exe

pid	process
3976	svchost.exe
3976	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.exe

description	pid	process	target process
PID 4848 set thread context of 4748	4848	conhost.exe	conhost.exe
PID 4832 set thread context of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 set thread context of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

cb940cf74606d64260e36e8ef1e4f585.execonhost.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.execmd.exemsedge.exe

description	pid	process	target process
PID 2764 wrote to memory of 4848	2764	cb940cf74606d64260e36e8ef1e4f585.exe	conhost.exe
PID 2764 wrote to memory of 4848	2764	cb940cf74606d64260e36e8ef1e4f585.exe	conhost.exe
PID 2764 wrote to memory of 4848	2764	cb940cf74606d64260e36e8ef1e4f585.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 2764 wrote to memory of 4832	2764	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 2764 wrote to memory of 4832	2764	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 2764 wrote to memory of 4832	2764	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4848 wrote to memory of 4748	4848	conhost.exe	conhost.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 4832 wrote to memory of 1800	4832	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1800 wrote to memory of 1432	1800	cb940cf74606d64260e36e8ef1e4f585.exe	cb940cf74606d64260e36e8ef1e4f585.exe
PID 1432 wrote to memory of 1976	1432	cb940cf74606d64260e36e8ef1e4f585.exe	cmd.exe
PID 1432 wrote to memory of 1976	1432	cb940cf74606d64260e36e8ef1e4f585.exe	cmd.exe
PID 1432 wrote to memory of 1976	1432	cb940cf74606d64260e36e8ef1e4f585.exe	cmd.exe
PID 1976 wrote to memory of 4328	1976	cmd.exe	msedge.exe
PID 1976 wrote to memory of 4328	1976	cmd.exe	msedge.exe
PID 4328 wrote to memory of 3976	4328	msedge.exe	svchost.exe
PID 4328 wrote to memory of 3976	4328	msedge.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe
"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe
"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe
"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe
"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/1432-148-0x0000000000000000-mapping.dmp

Download
memory/1432-157-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/1432-154-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/1432-149-0x0000000001020000-0x0000000001056000-memory.dmp

Filesize
216KB

Download
memory/1800-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-141-0x0000000000000000-mapping.dmp

Download
memory/1976-159-0x0000000000000000-mapping.dmp

Download
memory/2764-133-0x00000000013F5000-0x0000000001408000-memory.dmp

Filesize
76KB

Download
memory/3976-163-0x0000000000000000-mapping.dmp

Download
memory/4328-160-0x0000000000000000-mapping.dmp

Download
memory/4748-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4748-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4748-136-0x0000000000000000-mapping.dmp

Download
memory/4832-140-0x0000000000AB8000-0x0000000000ACB000-memory.dmp

Filesize
76KB

Download
memory/4832-137-0x0000000000000000-mapping.dmp

Download
memory/4848-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads