colibri | 0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6
Size

467KB
Sample

220903-qh9ywafdhq
MD5

3532766b7b1a52a96b77a00e94bb4c95
SHA1

e112face677144ebb230165303461e0367403096
SHA256

0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6
SHA512

49a4067074693c90459547cc373aa0e8f74f7ae0f34200cb8f716ef6f4a1028eb3de8fe5f3e08020c1f75e927593009d193c35e31fd3cdb14b67699fdc28c714
SSDEEP

12288:bFnVk+436xowuTfLq4EI+gOBzh4JiM32SIMT:bFnVkZ/wKfOrki

Score

10^/10

colibri build1 discovery loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6.exe

Resource

win10v2004-20220812-en

colibri build1 discovery loader spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6
- Size
  
  467KB
- MD5
  
  3532766b7b1a52a96b77a00e94bb4c95
- SHA1
  
  e112face677144ebb230165303461e0367403096
- SHA256
  
  0a46613d4ca1c621c5838c41e9cfe559b112b9e1d3b69e2051066e18ff24acb6
- SHA512
  
  49a4067074693c90459547cc373aa0e8f74f7ae0f34200cb8f716ef6f4a1028eb3de8fe5f3e08020c1f75e927593009d193c35e31fd3cdb14b67699fdc28c714
- SSDEEP
  
  12288:bFnVk+436xowuTfLq4EI+gOBzh4JiM32SIMT:bFnVkZ/wKfOrki
Score

10^/10

colibri build1 discovery loader spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

colibribuild1discoveryloaderspywarestealer

© 2018-2024

Terms | Privacy