colibri | e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062

General

Target

e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
Size

292KB
MD5

2545131b7880bd854f3c9148277af024
SHA1

846cf8458ca76e9cc8092218006c0e5bb1a68e8c
SHA256

e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062
SHA512

c7a31f69621e60c1950f48c92c1633f2bee2f36adc8b5a2627d21dacda15f70d16f50b1a2dd3e575c7453380ca3c828cda8f86dda285e174af9f9944c42aa787
SSDEEP

3072:JOC+EnCeqk1oPh1MZf8EQ1DyWgi/ysf0e:EYN9oJ1MZ0JGW5rf

Score

10^/10

colibri raccoon build1 d6584fcd1734d77c0004e30a172dc0e0 loader stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

raccoon

Botnet

d6584fcd1734d77c0004e30a172dc0e0

C2

http://84.32.188.111/

http://5.252.21.28/

http://87.120.254.71

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

conhost.execonhost.exe

pid process

4652 conhost.exe
4560 conhost.exe

pid	process
4652	conhost.exe
4560	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exee8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe

description	pid	process	target process
PID 4652 set thread context of 4560	4652	conhost.exe	conhost.exe
PID 2356 set thread context of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.execonhost.exee8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe

description	pid	process	target process
PID 2132 wrote to memory of 4652	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	conhost.exe
PID 2132 wrote to memory of 4652	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	conhost.exe
PID 2132 wrote to memory of 4652	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	conhost.exe
PID 2132 wrote to memory of 2356	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2132 wrote to memory of 2356	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2132 wrote to memory of 2356	2132	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 4652 wrote to memory of 4560	4652	conhost.exe	conhost.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
PID 2356 wrote to memory of 4544	2356	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe	e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe

C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
"C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4652

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:4560

C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
"C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe
"C:\Users\Admin\AppData\Local\Temp\e8d1a8908e063d4b824cde1d0d0bdf812ace1e50000a4accddb8b306664b4062.exe"
3⤵
PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\ProgramData\conhost.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/2356-135-0x0000000000000000-mapping.dmp

Download
memory/2356-139-0x0000000000A1F000-0x0000000000A32000-memory.dmp

Filesize
76KB

Download
memory/4544-140-0x0000000000000000-mapping.dmp

Download
memory/4544-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4544-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4544-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4560-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4560-136-0x0000000000000000-mapping.dmp

Download
memory/4560-144-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4652-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads