General

  • Target

    9c512797b50b536a82baf18fc9fb3077.exe

  • Size

    602KB

  • Sample

    220903-nbzhfseaam

  • MD5

    9c512797b50b536a82baf18fc9fb3077

  • SHA1

    bd9fc65cb2d62474e510c74e93e8475096661e8c

  • SHA256

    5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5

  • SHA512

    e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53

  • SSDEEP

    6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      9c512797b50b536a82baf18fc9fb3077.exe

    • Size

      602KB

    • MD5

      9c512797b50b536a82baf18fc9fb3077

    • SHA1

      bd9fc65cb2d62474e510c74e93e8475096661e8c

    • SHA256

      5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5

    • SHA512

      e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53

    • SSDEEP

      6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks