colibri | d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
Size

460KB
Sample

220903-p6ks8ahgd9
MD5

4867fd230f1c7258178d3d8dd7eabb2a
SHA1

b0f8925bdd1e60a719cfed16fc2b749efbdc8202
SHA256

d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
SHA512

b7f36ffa61e8b550f41369f3c2dbbe6af4da360fac15c2e3fcc9c50ea80619852fe6afce16d857f77af25b21bf64a835264ca6411ad7e6a06599eda90fd539b7
SSDEEP

12288:4Hw0k6MeZrhliNvNv3l0sYUdVIPtbt7+4jJ5eXdhsjeWhN7E6:4Hw0kErhliHWsMPth+EJGdh2eGN7E6

Score

10^/10

colibri build1 discovery loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58.exe

Resource

win10v2004-20220812-en

colibri build1 discovery loader spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
- Size
  
  460KB
- MD5
  
  4867fd230f1c7258178d3d8dd7eabb2a
- SHA1
  
  b0f8925bdd1e60a719cfed16fc2b749efbdc8202
- SHA256
  
  d307eed36bcbe673fd89f96be8739c1613efe7520ac870dbe15e6d35e67d3b58
- SHA512
  
  b7f36ffa61e8b550f41369f3c2dbbe6af4da360fac15c2e3fcc9c50ea80619852fe6afce16d857f77af25b21bf64a835264ca6411ad7e6a06599eda90fd539b7
- SSDEEP
  
  12288:4Hw0k6MeZrhliNvNv3l0sYUdVIPtbt7+4jJ5eXdhsjeWhN7E6:4Hw0kErhliHWsMPth+EJGdh2eGN7E6
Score

10^/10

colibri build1 discovery loader spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

colibribuild1discoveryloaderspywarestealer

© 2018-2024

Terms | Privacy