colibri | 1c6643b479614340097a8071c9f880688af5a82db7b6e755beafe7301eea1abf

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2022, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jfilyg7.exe
Size

383KB
MD5

96b5dcad2ade88e0c99e84b4869224e7
SHA1

f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256

722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA512

8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
SSDEEP

6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr

Score

10^/10

colibri warzonerat build1 infostealer loader persistence rat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

warzonerat

darkfox.ddns.net:443

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral3/memory/3600-142-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/3600-144-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/3600-146-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/3600-150-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/4964-156-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/4964-157-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral3/memory/4964-160-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Executes dropped EXE 4 IoCs

pid	Process
1328	conhost.exe
2332	conhost.exe
4916	MSCommonDriver.exe
4964	MSCommonDriver.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	jfilyg7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	jfilyg7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCommonDriver = "C:\\Users\\Admin\\Documents\\MSCommonDriver.exe"	jfilyg7.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1328 set thread context of 2332	1328	conhost.exe	82
PID 2552 set thread context of 3600	2552	jfilyg7.exe	84
PID 4916 set thread context of 4964	4916	MSCommonDriver.exe	86

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	jfilyg7.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1328	1308	jfilyg7.exe	81
PID 1308 wrote to memory of 1328	1308	jfilyg7.exe	81
PID 1308 wrote to memory of 1328	1308	jfilyg7.exe	81
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1308 wrote to memory of 2552	1308	jfilyg7.exe	83
PID 1308 wrote to memory of 2552	1308	jfilyg7.exe	83
PID 1308 wrote to memory of 2552	1308	jfilyg7.exe	83
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 1328 wrote to memory of 2332	1328	conhost.exe	82
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 2552 wrote to memory of 3600	2552	jfilyg7.exe	84
PID 3600 wrote to memory of 4916	3600	jfilyg7.exe	85
PID 3600 wrote to memory of 4916	3600	jfilyg7.exe	85
PID 3600 wrote to memory of 4916	3600	jfilyg7.exe	85
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4916 wrote to memory of 4964	4916	MSCommonDriver.exe	86
PID 4964 wrote to memory of 2708	4964	MSCommonDriver.exe	89
PID 4964 wrote to memory of 2708	4964	MSCommonDriver.exe	89
PID 4964 wrote to memory of 2708	4964	MSCommonDriver.exe	89
PID 4964 wrote to memory of 2708	4964	MSCommonDriver.exe	89
PID 4964 wrote to memory of 2708	4964	MSCommonDriver.exe	89

C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe
"C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\ProgramData\conhost.exe
  "C:\ProgramData\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\ProgramData\conhost.exe
    "C:\ProgramData\conhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2332
- C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe
  "C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe
    "C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\Documents\MSCommonDriver.exe
      "C:\Users\Admin\Documents\MSCommonDriver.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Users\Admin\Documents\MSCommonDriver.exe
        
        "C:\Users\Admin\Documents\MSCommonDriver.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe

Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe

Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe

Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe

Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe

Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe

Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
memory/1308-133-0x0000000001146000-0x0000000001154000-memory.dmp

Filesize
56KB

Download
memory/2332-145-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2332-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2552-139-0x00000000006C7000-0x00000000006D5000-memory.dmp

Filesize
56KB

Download
memory/2708-159-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3600-150-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3600-144-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3600-142-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3600-146-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4916-151-0x0000000000F46000-0x0000000000F54000-memory.dmp

Filesize
56KB

Download
memory/4964-156-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4964-157-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4964-160-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads