colibri | fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5 | Triage

Sharing

General

Target

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5
Size

294KB
Sample

221013-b6tjgaadbl
MD5

16e8f1670668384884715f4efbbbebd1
SHA1

3f8bc0ef848ecebf1f6c24c47fcf8d225de20b60
SHA256

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5
SHA512

72d25a5ebef7353fa7f9f62e4d58dfbaa9e248e0a6e035dd1455e174c7be0a79692d30e3a81d01ea80c4271aa77052ee83a032f46843285f02f95cf27f761b41
SSDEEP

3072:JOC+EnCeqk1oPh1MZf8EQ1DyWgi/ysf0eC:EYN9oJ1MZ0JGW5rfs

Score

10^/10

colibri raccoon build1 d6584fcd1734d77c0004e30a172dc0e0 loader stealer

Malware Config

Extracted

Family

raccoon

Botnet

d6584fcd1734d77c0004e30a172dc0e0

C2

http://84.32.188.111/

http://5.252.21.28/

http://87.120.254.71

rc4.plain

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5
- Size
  
  294KB
- MD5
  
  16e8f1670668384884715f4efbbbebd1
- SHA1
  
  3f8bc0ef848ecebf1f6c24c47fcf8d225de20b60
- SHA256
  
  fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5
- SHA512
  
  72d25a5ebef7353fa7f9f62e4d58dfbaa9e248e0a6e035dd1455e174c7be0a79692d30e3a81d01ea80c4271aa77052ee83a032f46843285f02f95cf27f761b41
- SSDEEP
  
  3072:JOC+EnCeqk1oPh1MZf8EQ1DyWgi/ysf0eC:EYN9oJ1MZ0JGW5rfs
Score

10^/10

colibri raccoon build1 d6584fcd1734d77c0004e30a172dc0e0 loader stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

colibriraccoonbuild1d6584fcd1734d77c0004e30a172dc0e0loaderstealer