colibri | 722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

General

Target

722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
Size

383KB
Sample

220920-rey8msdbh9
MD5

96b5dcad2ade88e0c99e84b4869224e7
SHA1

f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256

722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA512

8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
SSDEEP

6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

warzonerat

C2

darkfox.ddns.net:443

Targets

- Target
  
  722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d.exe
- Size
  
  383KB
- MD5
  
  96b5dcad2ade88e0c99e84b4869224e7
- SHA1
  
  f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
- SHA256
  
  722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
- SHA512
  
  8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
- SSDEEP
  
  6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr
Score

10^/10

colibri warzonerat build1 infostealer loader persistence rat
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Colibri Loader

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2