colibri | fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5

General

Target

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
Size

294KB
MD5

16e8f1670668384884715f4efbbbebd1
SHA1

3f8bc0ef848ecebf1f6c24c47fcf8d225de20b60
SHA256

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5
SHA512

72d25a5ebef7353fa7f9f62e4d58dfbaa9e248e0a6e035dd1455e174c7be0a79692d30e3a81d01ea80c4271aa77052ee83a032f46843285f02f95cf27f761b41
SSDEEP

3072:JOC+EnCeqk1oPh1MZf8EQ1DyWgi/ysf0eC:EYN9oJ1MZ0JGW5rfs

Score

10^/10

colibri raccoon build1 d6584fcd1734d77c0004e30a172dc0e0 loader stealer

Malware Config

Extracted

Family

raccoon

Botnet

d6584fcd1734d77c0004e30a172dc0e0

C2

http://84.32.188.111/

http://5.252.21.28/

http://87.120.254.71

rc4.plain

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

conhost.execonhost.exe

pid process

4112 conhost.exe
3808 conhost.exe

pid	process
4112	conhost.exe
3808	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.execonhost.exe

description	pid	process	target process
PID 680 set thread context of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 4112 set thread context of 3808	4112	conhost.exe	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.execonhost.exe

description	pid	process	target process
PID 680 wrote to memory of 4112	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	conhost.exe
PID 680 wrote to memory of 4112	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	conhost.exe
PID 680 wrote to memory of 4112	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	conhost.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 680 wrote to memory of 3212	680	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe	fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe
PID 4112 wrote to memory of 3808	4112	conhost.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
"C:\Users\Admin\AppData\Local\Temp\fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:3808

C:\Users\Admin\AppData\Local\Temp\fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe
"C:\Users\Admin\AppData\Local\Temp\fce7f27c7e2b58c267207aaf13c3a115f34487fd551aced03f85e2977c0932c5.exe"
2⤵
PID:3212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/3212-134-0x0000000000000000-mapping.dmp

Download
memory/3212-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3212-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3212-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3808-141-0x0000000000000000-mapping.dmp

Download
memory/3808-142-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3808-145-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4112-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads