colibri | 99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a | Triage

Sharing

General

Target

a5bbcfa88a2e99448d75af25c2aac091.exe
Size

602KB
Sample

220903-p8mqlahgg4
MD5

a5bbcfa88a2e99448d75af25c2aac091
SHA1

3f5a11daf693568bbff848cfc8ebf9be60cd3138
SHA256

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a
SHA512

71e41b7b09a4b0d358fb4d94d0e0d99b0becaadbff70eba1d03e0ba9c4780616e755e8893a9bd90d519297d0443788cb52a3f5f2725a68e160e9b0dafbaed4df
SSDEEP

6144:ypMbah3V7h34ww3D5UIiJf0lo+u8rjXIn4XxTlIOQF:yrhEiIkBD8rTInuxTeOA

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  a5bbcfa88a2e99448d75af25c2aac091.exe
- Size
  
  602KB
- MD5
  
  a5bbcfa88a2e99448d75af25c2aac091
- SHA1
  
  3f5a11daf693568bbff848cfc8ebf9be60cd3138
- SHA256
  
  99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a
- SHA512
  
  71e41b7b09a4b0d358fb4d94d0e0d99b0becaadbff70eba1d03e0ba9c4780616e755e8893a9bd90d519297d0443788cb52a3f5f2725a68e160e9b0dafbaed4df
- SSDEEP
  
  6144:ypMbah3V7h34ww3D5UIiJf0lo+u8rjXIn4XxTlIOQF:yrhEiIkBD8rTInuxTeOA
Score

10^/10

colibri build1 loader miner persistence
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

colibribuild1loaderminerpersistence