colibri | ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93

General

Target

625ed8296450d13587142822e16d7d61.exe
Size

1.5MB
MD5

625ed8296450d13587142822e16d7d61
SHA1

ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96
SHA256

ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93
SHA512

56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187
SSDEEP

24576:L3m8i6zoGcFauvhT+elS5EH4LR40AFfThq7metAHEk:

Score

10^/10

colibri dcrat build1 infostealer loader persistence rat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1540	schtasks.exe	83

Executes dropped EXE 3 IoCs

pid	Process
1204	lsass.exe
2376	tmp385.tmp.exe
3776	tmp385.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	625ed8296450d13587142822e16d7d61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 3776	2376	tmp385.tmp.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4940	schtasks.exe
4888	schtasks.exe
4960	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	625ed8296450d13587142822e16d7d61.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
908	625ed8296450d13587142822e16d7d61.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	625ed8296450d13587142822e16d7d61.exe
Token: SeDebugPrivilege	1204	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 4892	908	625ed8296450d13587142822e16d7d61.exe	87
PID 908 wrote to memory of 4892	908	625ed8296450d13587142822e16d7d61.exe	87
PID 4892 wrote to memory of 4040	4892	cmd.exe	89
PID 4892 wrote to memory of 4040	4892	cmd.exe	89
PID 4892 wrote to memory of 1204	4892	cmd.exe	90
PID 4892 wrote to memory of 1204	4892	cmd.exe	90
PID 1204 wrote to memory of 2376	1204	lsass.exe	91
PID 1204 wrote to memory of 2376	1204	lsass.exe	91
PID 1204 wrote to memory of 2376	1204	lsass.exe	91
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	93

C:\Users\Admin\AppData\Local\Temp\625ed8296450d13587142822e16d7d61.exe
"C:\Users\Admin\AppData\Local\Temp\625ed8296450d13587142822e16d7d61.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UL3T4xvBTm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\lsass.exe
    "C:/Users/Admin/AppData/Local/\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UL3T4xvBTm.bat

Filesize
204B

MD5
63f5cda2aeea17c69d9ea3fd33c5b0c5

SHA1
ca933d1c2ec21404bda4c1f4946ead753ee4e3bb

SHA256
a766bc4323c2755a47d69d615d495c8a62d7758d12fc60d3ea8a0dd0bdbbc382

SHA512
07d865d55f134552b0388a9d8b3a4f096434cadfca161b098cb4df6784c2abdd538c4d2373292fac8cf9e4daf9ed0299759efbb86e1b20f630d539eb921441b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
1.5MB

MD5
625ed8296450d13587142822e16d7d61

SHA1
ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96

SHA256
ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93

SHA512
56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
1.5MB

MD5
625ed8296450d13587142822e16d7d61

SHA1
ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96

SHA256
ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93

SHA512
56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187

Download Submit
memory/908-132-0x0000000000BA0000-0x0000000000D2E000-memory.dmp

Filesize
1.6MB

Download
memory/908-133-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10.8MB

Download
memory/908-137-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-141-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-142-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-146-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/3776-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3776-150-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads