colibri | 99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a

General

Target

a5bbcfa88a2e99448d75af25c2aac091.exe
Size

602KB
MD5

a5bbcfa88a2e99448d75af25c2aac091
SHA1

3f5a11daf693568bbff848cfc8ebf9be60cd3138
SHA256

99f38cc25d3cbea909717f9412ecd960de03c382e205c687ff9b6d27a2938c7a
SHA512

71e41b7b09a4b0d358fb4d94d0e0d99b0becaadbff70eba1d03e0ba9c4780616e755e8893a9bd90d519297d0443788cb52a3f5f2725a68e160e9b0dafbaed4df
SSDEEP

6144:ypMbah3V7h34ww3D5UIiJf0lo+u8rjXIn4XxTlIOQF:yrhEiIkBD8rTInuxTeOA

Score

10^/10

colibri build1 loader miner persistence

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe	miner_phoenix

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

conhost.execonhost.exemsedge.exesvchost.exe

pid process

4856 conhost.exe
4440 conhost.exe
1344 msedge.exe
3884 svchost.exe

pid	process
4856	conhost.exe
4440	conhost.exe
1344	msedge.exe
3884	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a5bbcfa88a2e99448d75af25c2aac091.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	a5bbcfa88a2e99448d75af25c2aac091.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe"	a5bbcfa88a2e99448d75af25c2aac091.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

svchost.exe

pid process

3884 svchost.exe
3884 svchost.exe

pid	process
3884	svchost.exe
3884	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.exea5bbcfa88a2e99448d75af25c2aac091.exea5bbcfa88a2e99448d75af25c2aac091.exe

description	pid	process	target process
PID 4856 set thread context of 4440	4856	conhost.exe	conhost.exe
PID 1540 set thread context of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 set thread context of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

a5bbcfa88a2e99448d75af25c2aac091.execonhost.exea5bbcfa88a2e99448d75af25c2aac091.exea5bbcfa88a2e99448d75af25c2aac091.execmd.exemsedge.exe

description	pid	process	target process
PID 1540 wrote to memory of 4856	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	conhost.exe
PID 1540 wrote to memory of 4856	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	conhost.exe
PID 1540 wrote to memory of 4856	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 4856 wrote to memory of 4440	4856	conhost.exe	conhost.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1540 wrote to memory of 1016	1540	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 1016 wrote to memory of 4384	1016	a5bbcfa88a2e99448d75af25c2aac091.exe	a5bbcfa88a2e99448d75af25c2aac091.exe
PID 4384 wrote to memory of 1372	4384	a5bbcfa88a2e99448d75af25c2aac091.exe	cmd.exe
PID 4384 wrote to memory of 1372	4384	a5bbcfa88a2e99448d75af25c2aac091.exe	cmd.exe
PID 4384 wrote to memory of 1372	4384	a5bbcfa88a2e99448d75af25c2aac091.exe	cmd.exe
PID 1372 wrote to memory of 1344	1372	cmd.exe	msedge.exe
PID 1372 wrote to memory of 1344	1372	cmd.exe	msedge.exe
PID 1344 wrote to memory of 3884	1344	msedge.exe	svchost.exe
PID 1344 wrote to memory of 3884	1344	msedge.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe
"C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:4440

C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe
"C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe
"C:\Users\Admin\AppData\Local\Temp\a5bbcfa88a2e99448d75af25c2aac091.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
Filesize
16KB

MD5
e8ac4929d4ef413e3c45abe2531cae95

SHA1
9ccd6320f053402699c802425e395010ef915740

SHA256
7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

SHA512
be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
Filesize
8.1MB

MD5
51ff42d909a879d42eb5f0e643aab806

SHA1
affce62499d0f923f115228643a87ba5daece4e5

SHA256
c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

SHA512
bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

Download Submit
memory/1016-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-138-0x0000000000000000-mapping.dmp

Download
memory/1016-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1344-159-0x0000000000000000-mapping.dmp

Download
memory/1372-158-0x0000000000000000-mapping.dmp

Download
memory/1540-133-0x00000000010F5000-0x0000000001108000-memory.dmp

Filesize
76KB

Download
memory/1540-136-0x0000000001028000-0x000000000102A000-memory.dmp

Filesize
8KB

Download
memory/3884-162-0x0000000000000000-mapping.dmp

Download
memory/4384-148-0x00000000009B0000-0x00000000009E6000-memory.dmp

Filesize
216KB

Download
memory/4384-156-0x00000000009B0000-0x00000000009E6000-memory.dmp

Filesize
216KB

Download
memory/4384-153-0x00000000009B0000-0x00000000009E6000-memory.dmp

Filesize
216KB

Download
memory/4384-147-0x0000000000000000-mapping.dmp

Download
memory/4440-139-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4440-157-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4440-137-0x0000000000000000-mapping.dmp

Download
memory/4856-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads