General
-
Target
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
-
Size
383KB
-
Sample
220920-rey8msdbh9
-
MD5
96b5dcad2ade88e0c99e84b4869224e7
-
SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
-
SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
-
SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
SSDEEP
6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Extracted
warzonerat
darkfox.ddns.net:443
Targets
-
-
Target
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
-
Size
383KB
-
MD5
96b5dcad2ade88e0c99e84b4869224e7
-
SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
-
SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
-
SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
-
SSDEEP
6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr
Score10/10-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation