colibri | dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8

General

Target

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Size

8.2MB
MD5

c50570558f1fa95225c72ac974eb631a
SHA1

caf2081be16dd9738ae06e85b8464bbeaac1fef0
SHA256

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
SHA512

e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
SSDEEP

196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

1744 DllHelper.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe

pid	process
1744	DllHelper.exe

pid	process
1992	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

pid	process
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1744	DllHelper.exe
1744	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 1744 set thread context of 324 1744 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

972 PING.EXE

description	pid	process	target process
PID 1744 set thread context of 324	1744	DllHelper.exe	InstallUtil.exe

pid	process
820	schtasks.exe

pid	process
972	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1744	DllHelper.exe
1744	DllHelper.exe
1744	DllHelper.exe
1744	DllHelper.exe
1744	DllHelper.exe
1744	DllHelper.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.execmd.exeDllHelper.exe

description	pid	process	target process
PID 1196 wrote to memory of 820	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1196 wrote to memory of 820	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1196 wrote to memory of 820	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1196 wrote to memory of 820	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1196 wrote to memory of 1744	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1196 wrote to memory of 1744	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1196 wrote to memory of 1744	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1196 wrote to memory of 1744	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1196 wrote to memory of 1992	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1196 wrote to memory of 1992	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1196 wrote to memory of 1992	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1196 wrote to memory of 1992	1196	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1992 wrote to memory of 1296	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1296	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1296	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1296	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 972	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 972	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 972	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 972	1992	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 1560	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe
PID 1744 wrote to memory of 324	1744	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:820

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
771.2MB

MD5
2a559a3f28256daee0f80c869ab3ac54

SHA1
0d25d2ffd5e15159ae3a8eb217b444e5e1fcbf8f

SHA256
346aa441ccdae27bf7d95d41429f744b47f291b6151de1ed2f15d6e851efbff5

SHA512
8dad88006ca5ba8cb6855ed251c23d7add20a8314a98b0c01b7515f756e1a8c4e105ee06ed34379a1e292f04941cf4011eb0c404343dce3f37a91b8885bad14b

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
771.2MB

MD5
2a559a3f28256daee0f80c869ab3ac54

SHA1
0d25d2ffd5e15159ae3a8eb217b444e5e1fcbf8f

SHA256
346aa441ccdae27bf7d95d41429f744b47f291b6151de1ed2f15d6e851efbff5

SHA512
8dad88006ca5ba8cb6855ed251c23d7add20a8314a98b0c01b7515f756e1a8c4e105ee06ed34379a1e292f04941cf4011eb0c404343dce3f37a91b8885bad14b

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
771.2MB

MD5
2a559a3f28256daee0f80c869ab3ac54

SHA1
0d25d2ffd5e15159ae3a8eb217b444e5e1fcbf8f

SHA256
346aa441ccdae27bf7d95d41429f744b47f291b6151de1ed2f15d6e851efbff5

SHA512
8dad88006ca5ba8cb6855ed251c23d7add20a8314a98b0c01b7515f756e1a8c4e105ee06ed34379a1e292f04941cf4011eb0c404343dce3f37a91b8885bad14b

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
771.2MB

MD5
2a559a3f28256daee0f80c869ab3ac54

SHA1
0d25d2ffd5e15159ae3a8eb217b444e5e1fcbf8f

SHA256
346aa441ccdae27bf7d95d41429f744b47f291b6151de1ed2f15d6e851efbff5

SHA512
8dad88006ca5ba8cb6855ed251c23d7add20a8314a98b0c01b7515f756e1a8c4e105ee06ed34379a1e292f04941cf4011eb0c404343dce3f37a91b8885bad14b

Download Submit
memory/324-92-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/324-91-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/324-87-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/324-85-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/820-64-0x0000000000000000-mapping.dmp

Download
memory/972-73-0x0000000000000000-mapping.dmp

Download
memory/1196-71-0x0000000000FC0000-0x0000000001D81000-memory.dmp

Filesize
13.8MB

Download
memory/1196-59-0x0000000000C70000-0x0000000000DD1000-memory.dmp

Filesize
1.4MB

Download
memory/1196-63-0x0000000003190000-0x0000000003729000-memory.dmp

Filesize
5.6MB

Download
memory/1196-62-0x0000000000FC0000-0x0000000001D81000-memory.dmp

Filesize
13.8MB

Download
memory/1196-61-0x0000000000C70000-0x0000000000DD1000-memory.dmp

Filesize
1.4MB

Download
memory/1196-56-0x0000000000FC0000-0x0000000001D81000-memory.dmp

Filesize
13.8MB

Download
memory/1196-54-0x0000000000FC0000-0x0000000001D81000-memory.dmp

Filesize
13.8MB

Download
memory/1196-60-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1196-74-0x0000000000C70000-0x0000000000DD1000-memory.dmp

Filesize
1.4MB

Download
memory/1196-57-0x0000000003190000-0x0000000003729000-memory.dmp

Filesize
5.6MB

Download
memory/1196-58-0x0000000003190000-0x0000000003729000-memory.dmp

Filesize
5.6MB

Download
memory/1296-72-0x0000000000000000-mapping.dmp

Download
memory/1744-77-0x0000000000820000-0x00000000015E1000-memory.dmp

Filesize
13.8MB

Download
memory/1744-79-0x0000000002D60000-0x00000000032F9000-memory.dmp

Filesize
5.6MB

Download
memory/1744-80-0x0000000002B80000-0x0000000002CE1000-memory.dmp

Filesize
1.4MB

Download
memory/1744-81-0x0000000002B80000-0x0000000002CE1000-memory.dmp

Filesize
1.4MB

Download
memory/1744-83-0x000000000BCF0000-0x000000000BD68000-memory.dmp

Filesize
480KB

Download
memory/1744-84-0x000000000BCF0000-0x000000000BD68000-memory.dmp

Filesize
480KB

Download
memory/1744-78-0x0000000002D60000-0x00000000032F9000-memory.dmp

Filesize
5.6MB

Download
memory/1744-67-0x0000000000000000-mapping.dmp

Download
memory/1744-89-0x0000000000820000-0x00000000015E1000-memory.dmp

Filesize
13.8MB

Download
memory/1744-90-0x0000000002B80000-0x0000000002CE1000-memory.dmp

Filesize
1.4MB

Download
memory/1744-75-0x0000000000820000-0x00000000015E1000-memory.dmp

Filesize
13.8MB

Download
memory/1992-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads