colibri | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3 | Triage

Submit
Reports

Overview

overview

Static

static

$RDUQK6W.exe

windows7-x64

$RDUQK6W.exe

windows10-2004-x64

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Sharing

General

Target

$RDUQK6W.exe
Size

10.5MB
Sample

220905-tny1cabffk
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

$RDUQK6W.exe

Resource

win7-20220812-en

dcrat evasion infostealer rat trojan

windows7-x64

21 signatures

300 seconds

Behavioral task

behavioral2

Sample

$RDUQK6W.exe

Resource

win10v2004-20220812-en

colibri build1 evasion loader trojan

windows10-2004-x64

19 signatures

300 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  $RDUQK6W.exe
- Size
  
  10.5MB
- MD5
  
  4a5a3ad1c74f3f7d525e1c97995ca649
- SHA1
  
  cc0548dcbf4c0bc4489529e9148cf9f921485e84
- SHA256
  
  19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
- SHA512
  
  fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
- SSDEEP
  
  196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV
Score

10^/10

dcrat evasion infostealer rat trojan colibri build1 loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrattrojan

behavioral2

colibribuild1evasionloadertrojan

© 2018-2024

Terms | Privacy