Overview

overview

10

Static

static

3d1551fcb9...87.exe

windows7-x64

10

3d1551fcb9...87.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d1551fcb92caa336745b275ea357187.exe

  • Size

    2.7MB

  • Sample

    220924-f1z7aaafa7

  • MD5

    3d1551fcb92caa336745b275ea357187

  • SHA1

    38b8fe4cee22237d34cf27974edd82d1105c6bac

  • SHA256

    946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

  • SHA512

    b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

  • SSDEEP

    49152:BBZnUTbk3+q5cyOycEFE/7mdpDsDCtlToe7AhexA7s6Sjaw3mQf:BBZnUe+q5cyONzopoWt9oezxq83

Score
10/10
colibridcratbuild1infostealerloaderrat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      3d1551fcb92caa336745b275ea357187.exe

    • Size

      2.7MB

    • MD5

      3d1551fcb92caa336745b275ea357187

    • SHA1

      38b8fe4cee22237d34cf27974edd82d1105c6bac

    • SHA256

      946714fa944cab2d100b25b5ce8dc8ae20d1d9a27c3e9c67ee2cd18d862d03af

    • SHA512

      b4d40905d2115ebc614b0b11a15f8b740040b4bebcc973e7d44dbddc58c6034f854e201b870c538f575c45b14935b2bde8e4ba58eb9043098788660ed2b35f0a

    • SSDEEP

      49152:BBZnUTbk3+q5cyOycEFE/7mdpDsDCtlToe7AhexA7s6Sjaw3mQf:BBZnUe+q5cyONzopoWt9oezxq83

    Score
    10/10
    dcratinfostealerratcolibribuild1loader

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

      loadercolibri

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks