Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

9c512797b50b536a82baf18fc9fb3077.exe
Size

602KB
Sample

220903-nbzhfseaam
MD5

9c512797b50b536a82baf18fc9fb3077
SHA1

bd9fc65cb2d62474e510c74e93e8475096661e8c
SHA256

5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
SHA512

e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53
SSDEEP

6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS

Score

10^/10

colibri build1 loader persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  9c512797b50b536a82baf18fc9fb3077.exe
- Size
  
  602KB
- MD5
  
  9c512797b50b536a82baf18fc9fb3077
- SHA1
  
  bd9fc65cb2d62474e510c74e93e8475096661e8c
- SHA256
  
  5ba33d60c4483c65ed0515ab6068a7bd3d429dd80392aa4864070a08c42223c5
- SHA512
  
  e20abf9a3a0e6d482cc68b8dd6ba809cb3f5dee3e5f326ff05e38fa565f51a8f65b4338bc84fecc871275a6538a401909cbc87fda5e0a852bb6cff06a356ee53
- SSDEEP
  
  6144:BBcIhrEveSkYMiYV3URBSDdZgBNAtFySYODL8QS:B/hroLMP3kEgBNAt2QL8QS
Score

10^/10

colibri build1 loader persistence
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

static1

behavioral1

behavioral2

colibribuild1loaderpersistence