colibri | 6c179c2b5cda41d940a552f19def20711f7389d3188d7646c45b7963f2049667 | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

657KB
Sample

220904-m3dvdsefgl
MD5

408866829065c70ccb93d6af75b2f04b
SHA1

c2abb3f1434d1f1996dc6569f1d289eda41edcca
SHA256

6c179c2b5cda41d940a552f19def20711f7389d3188d7646c45b7963f2049667
SHA512

724ed56fc9409f77e8c804101f45de8ccf453642b59f124c647dc3ef5936ce2adbb74befdd5d1590cc3b9fe7ef1f9a864128b545ae5746cb822f22c19244af45
SSDEEP

6144:VoxIpwTnoNlR/DU7yhezwmQsrmMxzG8pCoHM3g:VoxIpwTnoDR/DUmhwxQspo8VsQ

Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220812-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20220901-en

colibri build1 discovery loader miner persistence spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  file.exe
- Size
  
  657KB
- MD5
  
  408866829065c70ccb93d6af75b2f04b
- SHA1
  
  c2abb3f1434d1f1996dc6569f1d289eda41edcca
- SHA256
  
  6c179c2b5cda41d940a552f19def20711f7389d3188d7646c45b7963f2049667
- SHA512
  
  724ed56fc9409f77e8c804101f45de8ccf453642b59f124c647dc3ef5936ce2adbb74befdd5d1590cc3b9fe7ef1f9a864128b545ae5746cb822f22c19244af45
- SSDEEP
  
  6144:VoxIpwTnoNlR/DU7yhezwmQsrmMxzG8pCoHM3g:VoxIpwTnoDR/DUmhwxQspo8VsQ
Score

10^/10

colibri build1 discovery loader miner persistence spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

colibribuild1discoveryloaderminerpersistencespywarestealer

© 2018-2024

Terms | Privacy