colibri | e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2545131b7880bd854f3c9148277af024.exe
Size

292KB
MD5

2545131b7880bd854f3c9148277af024
SHA1

846cf8458ca76e9cc8092218006c0e5bb1a68e8c
SHA256

e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062
SHA512

c7a31f69621e60c1950f48c92c1633f2bee2f36adc8b5a2627d21dacda15f70d16f50b1a2dd3e575c7453380ca3c828cda8f86dda285e174af9f9944c42aa787
SSDEEP

3072:JOC+EnCeqk1oPh1MZf8EQ1DyWgi/ysf0e:EYN9oJ1MZ0JGW5rf

Score

10^/10

colibri raccoon build1 d6584fcd1734d77c0004e30a172dc0e0 loader stealer

Malware Config

Extracted

Family

raccoon

Botnet

d6584fcd1734d77c0004e30a172dc0e0

http://84.32.188.111/

http://5.252.21.28/

http://87.120.254.71

rc4.plain

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Executes dropped EXE 2 IoCs

pid	Process
544	conhost.exe
3548	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 544 set thread context of 3548	544	conhost.exe	88

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 544	2096	2545131b7880bd854f3c9148277af024.exe	86
PID 2096 wrote to memory of 544	2096	2545131b7880bd854f3c9148277af024.exe	86
PID 2096 wrote to memory of 544	2096	2545131b7880bd854f3c9148277af024.exe	86
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 2096 wrote to memory of 220	2096	2545131b7880bd854f3c9148277af024.exe	87
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88
PID 544 wrote to memory of 3548	544	conhost.exe	88

C:\Users\Admin\AppData\Local\Temp\2545131b7880bd854f3c9148277af024.exe
"C:\Users\Admin\AppData\Local\Temp\2545131b7880bd854f3c9148277af024.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096
- C:\ProgramData\conhost.exe
  "C:\ProgramData\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\ProgramData\conhost.exe
    "C:\ProgramData\conhost.exe"
    3⤵
    - Executes dropped EXE
    PID:3548
- C:\Users\Admin\AppData\Local\Temp\2545131b7880bd854f3c9148277af024.exe
  "C:\Users\Admin\AppData\Local\Temp\2545131b7880bd854f3c9148277af024.exe"
  2⤵
  PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/220-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/220-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/220-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/544-135-0x0000000000BC0000-0x0000000000BC3000-memory.dmp

Filesize
12KB

Download
memory/3548-140-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3548-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads