Malware sandboxing report by Hatching Triage

General

Target

913240d24664aeeee23dcf389d6f2ce9.exe
Size

602KB
Sample

220903-p8mqlafccn
MD5

913240d24664aeeee23dcf389d6f2ce9
SHA1

730b13fb29347ee478d79195e49977de41ed740f
SHA256

9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc
SHA512

8a7e73fc3214dccdbea8a5f6a70b40f233719b2a7ce8bd205d3be2f01c93412d788fea071020dbbd76d79c43352fb71f60dab0e8eec18b159d5d0f970ad7bde7
SSDEEP

6144:up/J6DzcxdUf4/p6gj59aG5Ye5fYNYPk30QRyzpGa+IZ:up/J6DzudUw/t9Ge5fYlEQRyzwrG

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  913240d24664aeeee23dcf389d6f2ce9.exe
- Size
  
  602KB
- MD5
  
  913240d24664aeeee23dcf389d6f2ce9
- SHA1
  
  730b13fb29347ee478d79195e49977de41ed740f
- SHA256
  
  9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc
- SHA512
  
  8a7e73fc3214dccdbea8a5f6a70b40f233719b2a7ce8bd205d3be2f01c93412d788fea071020dbbd76d79c43352fb71f60dab0e8eec18b159d5d0f970ad7bde7
- SSDEEP
  
  6144:up/J6DzcxdUf4/p6gj59aG5Ye5fYNYPk30QRyzpGa+IZ:up/J6DzudUw/t9Ge5fYlEQRyzwrG
Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Colibri Loader

Detectes Phoenix Miner Payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2