colibri | 9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc | Triage

Submit
Reports

Overview

overview

Static

static

913240d246...e9.exe

windows7-x64

913240d246...e9.exe

windows10-2004-x64

Sharing

General

Target

913240d24664aeeee23dcf389d6f2ce9.exe
Size

602KB
Sample

220903-p8mqlafccn
MD5

913240d24664aeeee23dcf389d6f2ce9
SHA1

730b13fb29347ee478d79195e49977de41ed740f
SHA256

9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc
SHA512

8a7e73fc3214dccdbea8a5f6a70b40f233719b2a7ce8bd205d3be2f01c93412d788fea071020dbbd76d79c43352fb71f60dab0e8eec18b159d5d0f970ad7bde7
SSDEEP

6144:up/J6DzcxdUf4/p6gj59aG5Ye5fYNYPk30QRyzpGa+IZ:up/J6DzudUw/t9Ge5fYlEQRyzwrG

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

913240d24664aeeee23dcf389d6f2ce9.exe

Resource

win7-20220812-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

913240d24664aeeee23dcf389d6f2ce9.exe

Resource

win10v2004-20220812-en

colibri build1 discovery loader miner persistence spyware stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  913240d24664aeeee23dcf389d6f2ce9.exe
- Size
  
  602KB
- MD5
  
  913240d24664aeeee23dcf389d6f2ce9
- SHA1
  
  730b13fb29347ee478d79195e49977de41ed740f
- SHA256
  
  9e5ee80ee0e72b51abc4491e80fb8cf07a9d9c22b083d08f1db24ffae89517dc
- SHA512
  
  8a7e73fc3214dccdbea8a5f6a70b40f233719b2a7ce8bd205d3be2f01c93412d788fea071020dbbd76d79c43352fb71f60dab0e8eec18b159d5d0f970ad7bde7
- SSDEEP
  
  6144:up/J6DzcxdUf4/p6gj59aG5Ye5fYNYPk30QRyzpGa+IZ:up/J6DzudUw/t9Ge5fYlEQRyzwrG
Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

colibribuild1discoveryloaderminerpersistencespywarestealer

© 2018-2024

Terms | Privacy