colibri | dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8

Resubmissions

29-11-2022 17:41

221129-v9vqgsbb47 10

08-09-2022 23:04

220908-22fpxsdbdn 10

Analysis

max time kernel
293s
max time network
296s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08-09-2022 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Size

8.2MB
MD5

c50570558f1fa95225c72ac974eb631a
SHA1

caf2081be16dd9738ae06e85b8464bbeaac1fef0
SHA256

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
SHA512

e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
SSDEEP

196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

http://oraycdn.com/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

3432 DllHelper.exe

pid	process
3432	DllHelper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
3432	DllHelper.exe
3432	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 3432 set thread context of 3652 3432 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3988 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4252 PING.EXE

description	pid	process	target process
PID 3432 set thread context of 3652	3432	DllHelper.exe	InstallUtil.exe

pid	process
3988	schtasks.exe

pid	process
4252	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe
3432	DllHelper.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.execmd.exeDllHelper.exe

description	pid	process	target process
PID 4696 wrote to memory of 3988	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 4696 wrote to memory of 3988	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 4696 wrote to memory of 3988	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 4696 wrote to memory of 3432	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 4696 wrote to memory of 3432	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 4696 wrote to memory of 3432	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 4696 wrote to memory of 3552	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 4696 wrote to memory of 3552	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 4696 wrote to memory of 3552	4696	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 3552 wrote to memory of 4228	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 4228	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 4228	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 4252	3552	cmd.exe	PING.EXE
PID 3552 wrote to memory of 4252	3552	cmd.exe	PING.EXE
PID 3552 wrote to memory of 4252	3552	cmd.exe	PING.EXE
PID 3432 wrote to memory of 4320	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 4320	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 4320	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 3652	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 3652	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 3652	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 3652	3432	DllHelper.exe	InstallUtil.exe
PID 3432 wrote to memory of 3652	3432	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:3988

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4228

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
814.2MB

MD5
a7642bf143166e8aac29866c72f9dd82

SHA1
288a71e4552432cfe7ea12560d2389d9729997e2

SHA256
c83b7d6c803e340dd170cfaf3c386e2822131680cb410ad5ff19304e0e44f7b4

SHA512
1fe315efd435f91166d7a9d3021ecc141e589715dd3da30e8f37dd0e7709e77a1839ac9a98cc72a4c4b685b3268042d4f0eb0cd8897d102cb3942df540bbf7b0

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
814.2MB

MD5
a7642bf143166e8aac29866c72f9dd82

SHA1
288a71e4552432cfe7ea12560d2389d9729997e2

SHA256
c83b7d6c803e340dd170cfaf3c386e2822131680cb410ad5ff19304e0e44f7b4

SHA512
1fe315efd435f91166d7a9d3021ecc141e589715dd3da30e8f37dd0e7709e77a1839ac9a98cc72a4c4b685b3268042d4f0eb0cd8897d102cb3942df540bbf7b0

Download Submit
memory/3432-235-0x0000000000010000-0x0000000000DD1000-memory.dmp

Filesize
13.8MB

Download
memory/3432-195-0x0000000000000000-mapping.dmp

Download
memory/3432-317-0x0000000000010000-0x0000000000DD1000-memory.dmp

Filesize
13.8MB

Download
memory/3432-310-0x0000000010DA0000-0x0000000010E18000-memory.dmp

Filesize
480KB

Download
memory/3432-306-0x0000000003520000-0x000000000368A000-memory.dmp

Filesize
1.4MB

Download
memory/3432-260-0x0000000002F70000-0x0000000003512000-memory.dmp

Filesize
5.6MB

Download
memory/3432-258-0x0000000000010000-0x0000000000DD1000-memory.dmp

Filesize
13.8MB

Download
memory/3552-226-0x0000000000000000-mapping.dmp

Download
memory/3652-378-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3652-346-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3988-192-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3988-191-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3988-190-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3988-189-0x0000000000000000-mapping.dmp

Download
memory/4228-237-0x0000000000000000-mapping.dmp

Download
memory/4252-245-0x0000000000000000-mapping.dmp

Download
memory/4696-159-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-168-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-134-0x0000000001190000-0x0000000001F51000-memory.dmp

Filesize
13.8MB

Download
memory/4696-135-0x0000000001190000-0x0000000001F51000-memory.dmp

Filesize
13.8MB

Download
memory/4696-138-0x0000000001190000-0x0000000001F51000-memory.dmp

Filesize
13.8MB

Download
memory/4696-139-0x0000000003360000-0x00000000038FF000-memory.dmp

Filesize
5.6MB

Download
memory/4696-140-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-142-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-145-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-144-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-143-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-146-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-148-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-149-0x0000000003900000-0x0000000003A64000-memory.dmp

Filesize
1.4MB

Download
memory/4696-147-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-150-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-151-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-152-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-153-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-154-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-155-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-156-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-157-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-158-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-132-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-160-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-162-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-161-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-163-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-164-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-165-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-166-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-167-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-133-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-169-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-170-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-171-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-172-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-173-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-174-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-175-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-176-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-178-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-177-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-179-0x0000000001190000-0x0000000001F51000-memory.dmp

Filesize
13.8MB

Download
memory/4696-180-0x0000000003360000-0x00000000038FF000-memory.dmp

Filesize
5.6MB

Download
memory/4696-181-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-182-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-183-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-131-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-130-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-129-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-184-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-185-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-186-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-187-0x0000000003900000-0x0000000003A64000-memory.dmp

Filesize
1.4MB

Download
memory/4696-188-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-231-0x0000000001190000-0x0000000001F51000-memory.dmp

Filesize
13.8MB

Download
memory/4696-128-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-127-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-126-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-124-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-125-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-122-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-123-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-121-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-120-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-119-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download