colibri | 43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668

Analysis

max time kernel
298s
max time network
302s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe
Size

103KB
MD5

8d6adee8fa1857f69ccc8f24f2c55d7f
SHA1

2ede97f1824ad1769c82e7e310d2ebea1cc42378
SHA256

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668
SHA512

890fef9e9a973d97c01081a38ceeb73dbfa46a7afc403942ea6fbcfe07b10a796d7c76eef3dca96d39a4a1609d65c7f7fc8ddf6c64f9ae1ee26a580cb8b5d547
SSDEEP

1536:UZtObhT75YJr3xpTatGRnT2tspkd1fdGA8OuGzfdAYKgQeYibmVcl:Xd75YJNpetGRT2tsps2OZYTib8Y

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

http://45.15.156.28/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Suspicious use of SetThreadContext 1 IoCs

Processes:

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

description	pid	process	target process
PID 1468 set thread context of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

pid	process
1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe
1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe
1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

description pid process

Token: SeDebugPrivilege 1468 43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

description	pid	process
Token: SeDebugPrivilege	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe

description	pid	process	target process
PID 1468 wrote to memory of 1544	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 1544	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 1544	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 1544	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe
PID 1468 wrote to memory of 584	1468	43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe
"C:\Users\Admin\AppData\Local\Temp\43b7540ae2db51334ea8078f165c2b2b4d395d895e053bca4100d2ecf2139668.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/584-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/584-61-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/584-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/584-63-0x0000000000404EA5-mapping.dmp

Download
memory/584-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/584-66-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1468-54-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/1468-55-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1468-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1468-57-0x0000000005900000-0x0000000005B10000-memory.dmp

Filesize
2.1MB

Download