colibri | dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8

General

Target

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Size

8.2MB
MD5

c50570558f1fa95225c72ac974eb631a
SHA1

caf2081be16dd9738ae06e85b8464bbeaac1fef0
SHA256

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
SHA512

e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
SSDEEP

196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

912 DllHelper.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1456 cmd.exe

pid	process
912	DllHelper.exe

pid	process
1456	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

pid	process
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
912	DllHelper.exe
912	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 912 set thread context of 1764 912 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1660 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

756 PING.EXE

description	pid	process	target process
PID 912 set thread context of 1764	912	DllHelper.exe	InstallUtil.exe

pid	process
1660	schtasks.exe

pid	process
756	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
912	DllHelper.exe
912	DllHelper.exe
912	DllHelper.exe
912	DllHelper.exe
912	DllHelper.exe
912	DllHelper.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.execmd.exeDllHelper.exe

description	pid	process	target process
PID 1916 wrote to memory of 1660	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1916 wrote to memory of 1660	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1916 wrote to memory of 1660	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1916 wrote to memory of 1660	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1916 wrote to memory of 912	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1916 wrote to memory of 912	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1916 wrote to memory of 912	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1916 wrote to memory of 912	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1916 wrote to memory of 1456	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1916 wrote to memory of 1456	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1916 wrote to memory of 1456	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1916 wrote to memory of 1456	1916	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1456 wrote to memory of 868	1456	cmd.exe	chcp.com
PID 1456 wrote to memory of 868	1456	cmd.exe	chcp.com
PID 1456 wrote to memory of 868	1456	cmd.exe	chcp.com
PID 1456 wrote to memory of 868	1456	cmd.exe	chcp.com
PID 1456 wrote to memory of 756	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 756	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 756	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 756	1456	cmd.exe	PING.EXE
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1348	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe
PID 912 wrote to memory of 1764	912	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:1660

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:868

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
655.8MB

MD5
5b698b69fea76232344a0cb832d10b63

SHA1
79b039952f77a60987d187526bc193f4acc376c4

SHA256
15da1dd9f3b4ea2d6f1585333b46312dc8f4715979b872e4e35978cb49f749f6

SHA512
d00a6f52046459654276d9a6b7ebbecf4d28f16d3b5efdf357fc79fe77d08cb429542960e5b890c5b00153550e9f00a1d034976baa6877c164a726444f51e3d7

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
696.9MB

MD5
9df7fede81bf3cee80bd97cfd78224d9

SHA1
6c0bb6239b669b4e6c87c72efb87dfd60a3bc187

SHA256
13774bd5508616d29ecba9e9fb80c9dbdfcc42ff0607c82b4ad04ab1979ac881

SHA512
7066f5dedaad6eca3898d49be49afca3784ee36e29827867c28b797c19ac23c45d3a0d48efc17f3e9bdd5a48a364df81df450a16c6aaeafb92cb5e4577b91a6c

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
758.2MB

MD5
e1791f5c7a78373aa6ff352605f23870

SHA1
9eae43b9271f8bc33accaa19cc98c9e7683f3f4b

SHA256
faffc26326077981fd53d49368d648aff6489a972eaefa733013f06a971d0c33

SHA512
c2c94137eaf1497742103a8d8ea7e1798c9aa5ebfe346e4b5a8da8d4c94e71ce02df0c6bb7108a3d9e6bcf2edacd1edeca78644a660188001a27880e9950297e

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
744.6MB

MD5
2dd935a768fa0dab9d85305cfdf5826e

SHA1
9af0d3eee7cc75717a017b73c92893553778b690

SHA256
8a925f95d6777849a63881afb852f657fdf1ab8ddd4348b11b8fe8d410dd9440

SHA512
507863db1d512c7fc1408136b1755bcb81645c6b2c1f414ef4349c876d92b3974cf28f2b1de5acfd6aa5661750e0b2832dd58bd01a410c431f5df076b62b3aaa

Download Submit
memory/756-75-0x0000000000000000-mapping.dmp

Download
memory/868-73-0x0000000000000000-mapping.dmp

Download
memory/912-79-0x0000000002CB0000-0x0000000003249000-memory.dmp

Filesize
5.6MB

Download
memory/912-80-0x0000000002CB0000-0x0000000003249000-memory.dmp

Filesize
5.6MB

Download
memory/912-81-0x0000000003250000-0x00000000033B1000-memory.dmp

Filesize
1.4MB

Download
memory/912-78-0x0000000000AE0000-0x00000000018A1000-memory.dmp

Filesize
13.8MB

Download
memory/912-76-0x0000000000AE0000-0x00000000018A1000-memory.dmp

Filesize
13.8MB

Download
memory/912-82-0x0000000003250000-0x00000000033B1000-memory.dmp

Filesize
1.4MB

Download
memory/912-68-0x0000000000000000-mapping.dmp

Download
memory/912-84-0x0000000003110000-0x0000000003188000-memory.dmp

Filesize
480KB

Download
memory/912-85-0x0000000003110000-0x0000000003188000-memory.dmp

Filesize
480KB

Download
memory/912-90-0x0000000000AE0000-0x00000000018A1000-memory.dmp

Filesize
13.8MB

Download
memory/912-91-0x0000000003250000-0x00000000033B1000-memory.dmp

Filesize
1.4MB

Download
memory/1456-71-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1764-93-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1764-92-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1764-86-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1764-88-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1916-60-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1916-63-0x00000000013B0000-0x0000000002171000-memory.dmp

Filesize
13.8MB

Download
memory/1916-61-0x0000000000AF0000-0x0000000000C51000-memory.dmp

Filesize
1.4MB

Download
memory/1916-54-0x00000000013B0000-0x0000000002171000-memory.dmp

Filesize
13.8MB

Download
memory/1916-59-0x0000000000AF0000-0x0000000000C51000-memory.dmp

Filesize
1.4MB

Download
memory/1916-58-0x0000000000CE0000-0x0000000001279000-memory.dmp

Filesize
5.6MB

Download
memory/1916-64-0x0000000000CE0000-0x0000000001279000-memory.dmp

Filesize
5.6MB

Download
memory/1916-57-0x0000000000CE0000-0x0000000001279000-memory.dmp

Filesize
5.6MB

Download
memory/1916-56-0x00000000013B0000-0x0000000002171000-memory.dmp

Filesize
13.8MB

Download
memory/1916-65-0x0000000000AF0000-0x0000000000C51000-memory.dmp

Filesize
1.4MB

Download
memory/1916-72-0x00000000013B0000-0x0000000002171000-memory.dmp

Filesize
13.8MB

Download
memory/1916-74-0x0000000000AF0000-0x0000000000C51000-memory.dmp

Filesize
1.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads