General
-
Target
d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
-
Size
460KB
-
Sample
220903-p6ks8ahgd9
-
MD5
4867fd230f1c7258178d3d8dd7eabb2a
-
SHA1
b0f8925bdd1e60a719cfed16fc2b749efbdc8202
-
SHA256
d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
-
SHA512
b7f36ffa61e8b550f41369f3c2dbbe6af4da360fac15c2e3fcc9c50ea80619852fe6afce16d857f77af25b21bf64a835264ca6411ad7e6a06599eda90fd539b7
-
SSDEEP
12288:4Hw0k6MeZrhliNvNv3l0sYUdVIPtbt7+4jJ5eXdhsjeWhN7E6:4Hw0kErhliHWsMPth+EJGdh2eGN7E6
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
-
Size
460KB
-
MD5
4867fd230f1c7258178d3d8dd7eabb2a
-
SHA1
b0f8925bdd1e60a719cfed16fc2b749efbdc8202
-
SHA256
d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
-
SHA512
b7f36ffa61e8b550f41369f3c2dbbe6af4da360fac15c2e3fcc9c50ea80619852fe6afce16d857f77af25b21bf64a835264ca6411ad7e6a06599eda90fd539b7
-
SSDEEP
12288:4Hw0k6MeZrhliNvNv3l0sYUdVIPtbt7+4jJ5eXdhsjeWhN7E6:4Hw0kErhliHWsMPth+EJGdh2eGN7E6
Score10/10-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation