colibri | dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8

Resubmissions

29/11/2022, 17:41

221129-v9vqgsbb47 10

08/09/2022, 23:04

220908-22fpxsdbdn 10

Analysis

max time kernel
152s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Size

8.2MB
MD5

c50570558f1fa95225c72ac974eb631a
SHA1

caf2081be16dd9738ae06e85b8464bbeaac1fef0
SHA256

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
SHA512

e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
SSDEEP

196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Executes dropped EXE 1 IoCs

pid	Process
2024	DllHelper.exe

Deletes itself 1 IoCs

pid	Process
1816	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
2024	DllHelper.exe
2024	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 860	2024	DllHelper.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2044	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1740	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	26
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	26
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	26
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	26
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	28
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	28
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	28
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	28
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	29
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	29
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	29
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	29
PID 1816 wrote to memory of 1696	1816	cmd.exe	31
PID 1816 wrote to memory of 1696	1816	cmd.exe	31
PID 1816 wrote to memory of 1696	1816	cmd.exe	31
PID 1816 wrote to memory of 1696	1816	cmd.exe	31
PID 1816 wrote to memory of 1740	1816	cmd.exe	32
PID 1816 wrote to memory of 1740	1816	cmd.exe	32
PID 1816 wrote to memory of 1740	1816	cmd.exe	32
PID 1816 wrote to memory of 1740	1816	cmd.exe	32
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33
PID 2024 wrote to memory of 860	2024	DllHelper.exe	33

C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2044
- C:\Users\Admin\AppVerif\DllHelper.exe
  "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
76.4MB

MD5
59b24b893297981df0b4aa8ff9a9731a

SHA1
376d7230097cc91852710e419bb99d0469c532fa

SHA256
d69d45832b18b41cb637dcfb63a2c1cf0d59cd11748f974bbebfb19a03aa31c0

SHA512
e22b98d7b30cbf6d7425cba0c1b316a5bbbb9ba111b7045ff2e8fd89b70545a30fb1883dd5ea6c674b99e0eade743f2d7f70a5a96e2173e3e3bfefdb59c30d79

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
88.0MB

MD5
0e8ec98c78d5a91e02f7580fbb6ec1a5

SHA1
c17c2004b34e991689870b63a502f55b91a2a226

SHA256
b9812d90aeb2172f456962903c49de817d355c284374a95ec859248e8ce904d7

SHA512
fa21a9287519057c164f1ae71a48bd4e527acb552e653f536b4ce45e363c563532d3a825b2d0e2cb0567bf58bcc0a0ef9cefe8c1bdefe9924a84b296e0e38f54

Download Submit
\Users\Admin\AppVerif\DllHelper.exe

Filesize
70.1MB

MD5
7b39c3c87fb325892e5e9cb350aab3b2

SHA1
019de63605b7fec2e657629d44546baeccc29291

SHA256
cf43e16a375eb2e8fe4aac756774ea7bfb7e5b492c05175d7bc5983d22657911

SHA512
d067c0a3764c46879d6f5c8cdc7452ca5b24bec2da1b9c7b4de5184fc7f5c01f5862128096906827922fff2cb64e83636ef201175aa39d72b04987dce94f2999

Download Submit
\Users\Admin\AppVerif\DllHelper.exe

Filesize
79.7MB

MD5
835abe040efafdc9394374accc926f65

SHA1
7a7f52063b3c9158643ad2bd3a126278e04d0cd1

SHA256
975011c36a5fa0f66869ca7b3894ae0b8515ed3057748990210a618cf4bb94c4

SHA512
eda587327f57177c6be865eeaa0be707b034d379bf59cf5f9a4536ff4d6d57b5e682e5c1498799b97d2a16032df13523beb27ae8ba98870257e485b30c950477

Download Submit
memory/860-94-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-88-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-90-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1184-58-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-57-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-64-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-62-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-59-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-61-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-60-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-63-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-56-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-74-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-72-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-54-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/2024-73-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-79-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-80-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-81-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-82-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download
memory/2024-85-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download
memory/2024-84-0x000000000DE40000-0x000000000DEB8000-memory.dmp

Filesize
480KB

Download
memory/2024-86-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-87-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-78-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-92-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-93-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download