Overview

overview

10

Static

static

jfilyg7.exe

windows7-x64

3

jfilyg7.exe

windows10-1703-x64

3

jfilyg7.exe

windows10-2004-x64

10

ЗАЯВА...ї.lnk

windows7-x64

3

ЗАЯВА...ї.lnk

windows10-1703-x64

3

ЗАЯВА...ї.lnk

windows10-2004-x64

7

ЗАЯВА...ж.doc

windows7-x64

4

ЗАЯВА...ж.doc

windows10-1703-x64

1

ЗАЯВА...ж.doc

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c6643b479614340097a8071c9f880688af5a82db7b6e755beafe7301eea1abf

  • Size

    910KB

  • Sample

    220916-nvj7wafff5

  • MD5

    c0f5dfb2d983db6f8a851640dd40c5c8

  • SHA1

    335c639f2a43a3c8eaf66d08d4aa2c1e3563b981

  • SHA256

    1c6643b479614340097a8071c9f880688af5a82db7b6e755beafe7301eea1abf

  • SHA512

    b25e6babdc9c1338c43ca7fad17d42dbc91fac1c8320a5738997c4608758274ec6d4a8b08b370c773179f5038befa75118ca618946e4a701040f771e520df9ed

  • SSDEEP

    6144:UNYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf4:0IidDBZflr4

Score
10/10
colibriwarzoneratbuild1infostealerloaderpersistencerat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

warzonerat

C2

darkfox.ddns.net:443

Targets

    • Target

      jfilyg7.exe

    • Size

      383KB

    • MD5

      96b5dcad2ade88e0c99e84b4869224e7

    • SHA1

      f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

    • SHA256

      722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

    • SHA512

      8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

    • SSDEEP

      6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr

    Score
    10/10
    colibriwarzoneratbuild1infostealerloaderpersistencerat

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

    • Target

      ЗАЯВА-на-отримання-компенсації.lnk

    • Size

      411KB

    • MD5

      c15aa00479cae0a8bae7c926d7fd8ba6

    • SHA1

      9c7c059e617380eb7bf5b5ae41b2874e2cf5111c

    • SHA256

      bc4cab14e4b378a7b98185367b4778f92eb4335faba1a4503f4cfb7aba8f13e7

    • SHA512

      79067ef1afbd879b3ab011354a626e567ebf463fd60f4c5d82c7332906fa4e6c9e85e8d33926cf7c2ed037a7b7eee92a4ce17020450442443740286efa4b2e72

    • SSDEEP

      24:8y+wj/erlZygbDhw+svWP2+sv30PvcNnCsCcOrAI+/1:8m/6lZWnrPccCssAI

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral4behavioral5behavioral6

    • Target

      ЗАЯВА/3_ЗАЯВА-на-отримання-компенсації-додаткової-знижки-сімям-загиблих2.doc

    • Size

      33KB

    • MD5

      9f194f11b527a774eacd27a033271d88

    • SHA1

      7878c28a865e582064d5b54e1caf18b4c9bc00d4

    • SHA256

      a5a20063c8699c66f5292ed1da7c860360baf6cf2a52f33c2c0b8873a995397c

    • SHA512

      6dd9e11d2d0c4bb8ceb851d2d896ff38d26fc045c44641c40ae1a4b0f47123f93f1de42058f2dedb02d73b3c66ef11b281086a427a663289ab8323080964cd26

    • SSDEEP

      384:xdMX1hEOC3GiyGcSdW+wRsCBItyP3v3zCDqxz99:HNAKCBd3ODqxz99

    Score
    4/10
    behavioral7behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks