Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4
Size

657KB
Sample

220904-ktflhsdbfn
MD5

1ab9115cce93709220c60217c4077c34
SHA1

4444d87625d9001bbbe99d975542b97884cb83a0
SHA256

5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4
SHA512

cd46ae14d3a2c81ea4bd791a51b867293c10ee3771697f6204e816f055d366b4f9a2f9faa5285cf4dd3c5f49066aa6b75805dc61da3a561810a6ef87ac5a12e1
SSDEEP

6144:dg5nk5lJmbKTk6b3HVaMjAsbNWTIRlRDBnN9PFja0HdjfCvA+YJJAUPvQ:dg5nkxmGT3Nx0MJN9PFrHdLCY+YJg

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4
- Size
  
  657KB
- MD5
  
  1ab9115cce93709220c60217c4077c34
- SHA1
  
  4444d87625d9001bbbe99d975542b97884cb83a0
- SHA256
  
  5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4
- SHA512
  
  cd46ae14d3a2c81ea4bd791a51b867293c10ee3771697f6204e816f055d366b4f9a2f9faa5285cf4dd3c5f49066aa6b75805dc61da3a561810a6ef87ac5a12e1
- SSDEEP
  
  6144:dg5nk5lJmbKTk6b3HVaMjAsbNWTIRlRDBnN9PFja0HdjfCvA+YJJAUPvQ:dg5nkxmGT3Nx0MJN9PFrHdLCY+YJg
Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Tasks

static1

behavioral1

colibribuild1discoveryloaderminerpersistencespywarestealer