General
-
Target
3fe1aeaec6e6923437807e0bfbb189be.exe
-
Size
4MB
-
Sample
221015-nrp9qafeeq
-
MD5
3fe1aeaec6e6923437807e0bfbb189be
-
SHA1
26c05ec60980095cd2dee6fb6d938fbf7a95150e
-
SHA256
95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0
-
SHA512
aa86a0632731484d730b6bb0794f0a1e4114498dcba8e2c47fac9f1ee534e125ebdef13fc9283696fee19c2ef4272c423d091b27585083ab03b70a151d2da5d7
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
3fe1aeaec6e6923437807e0bfbb189be.exe
-
Size
4MB
-
MD5
3fe1aeaec6e6923437807e0bfbb189be
-
SHA1
26c05ec60980095cd2dee6fb6d938fbf7a95150e
-
SHA256
95b1a76fab69f6b786489fdfad350b7165fba55ff478769be1a09d8e2987ddc0
-
SHA512
aa86a0632731484d730b6bb0794f0a1e4114498dcba8e2c47fac9f1ee534e125ebdef13fc9283696fee19c2ef4272c423d091b27585083ab03b70a151d2da5d7
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Score10/10-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation