General

  • Target

    f0c0bd9f2464a22b26cd1e59f061c301.exe

  • Size

    2MB

  • Sample

    221001-e1cwbafdf2

  • MD5

    f0c0bd9f2464a22b26cd1e59f061c301

  • SHA1

    9f4af038778fd91eb409c774c88325d23cf48c26

  • SHA256

    0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7

  • SHA512

    090872ec9db441be82172fe4b093ec0f6b55183341fea747e8ea66591aa81422e69d2b5d227369b22f7088a7d9d8eeb0fdd0d4818072372032425d2c321e0748

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

    • Target

      f0c0bd9f2464a22b26cd1e59f061c301.exe

    • Size

      2MB

    • MD5

      f0c0bd9f2464a22b26cd1e59f061c301

    • SHA1

      9f4af038778fd91eb409c774c88325d23cf48c26

    • SHA256

      0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7

    • SHA512

      090872ec9db441be82172fe4b093ec0f6b55183341fea747e8ea66591aa81422e69d2b5d227369b22f7088a7d9d8eeb0fdd0d4818072372032425d2c321e0748

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation