General
-
Target
06cb1bb9f65f954677aa5e66cfecad10.exe
-
Size
4.9MB
-
Sample
221014-yd3yrsecfj
-
MD5
06cb1bb9f65f954677aa5e66cfecad10
-
SHA1
7226decd411a371d2727b8b6742f578425b0a7c2
-
SHA256
4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0
-
SHA512
ea81cca73a9abad99666e974ae73b9cc38d19fa666b0914d518dee731eab4ed2ed3b7797f453db2f0f22ce6cdc2866591ac0cc56aa01d7530b29e30da8cc098b
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
06cb1bb9f65f954677aa5e66cfecad10.exe
-
Size
4.9MB
-
MD5
06cb1bb9f65f954677aa5e66cfecad10
-
SHA1
7226decd411a371d2727b8b6742f578425b0a7c2
-
SHA256
4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0
-
SHA512
ea81cca73a9abad99666e974ae73b9cc38d19fa666b0914d518dee731eab4ed2ed3b7797f453db2f0f22ce6cdc2866591ac0cc56aa01d7530b29e30da8cc098b
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Score10/10-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-