colibri | 148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1

General

Target

148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1.exe
Size

2.0MB
Sample

221020-3g7hksbbgl
MD5

443880cbb37d23e8c3846e0b3c7f7358
SHA1

0824425675beced43463ee3943f745f4dd4f9110
SHA256

148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
SHA512

5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
SSDEEP

24576:CNhI4oUnscbH/4IhUaTkO4yMFBSPQh6PTntnjjgRGVDkkahscbqk9zDRXq6LYsU/:MXHw+UBT6Ld/9Ss8DxxL7dEMZ

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Targets

- Target
  
  148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1.exe
- Size
  
  2.0MB
- MD5
  
  443880cbb37d23e8c3846e0b3c7f7358
- SHA1
  
  0824425675beced43463ee3943f745f4dd4f9110
- SHA256
  
  148d9ed52b15aa29e6a5d501cd575bd119039ffc2051b7ef47b33bce13dc8ec1
- SHA512
  
  5ca14e9a0ab251e30deb47383f20f8d288e34086bbf2e75438e6907e31e9128a49373dba29cedaef95e5cb228efdd69b39a4e14ef761b7d95dabd3b33ad0c766
- SSDEEP
  
  24576:CNhI4oUnscbH/4IhUaTkO4yMFBSPQh6PTntnjjgRGVDkkahscbqk9zDRXq6LYsU/:MXHw+UBT6Ld/9Ss8DxxL7dEMZ
Score

10^/10

dcrat infostealer rat colibri build1 loader spyware stealer
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2