colibri | dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8

General

Target

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Size

8.2MB
MD5

c50570558f1fa95225c72ac974eb631a
SHA1

caf2081be16dd9738ae06e85b8464bbeaac1fef0
SHA256

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
SHA512

e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
SSDEEP

196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

2024 DllHelper.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1816 cmd.exe

pid	process
2024	DllHelper.exe

pid	process
1816	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

pid	process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
2024	DllHelper.exe
2024	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 2024 set thread context of 860 2024 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2044 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1740 PING.EXE

description	pid	process	target process
PID 2024 set thread context of 860	2024	DllHelper.exe	InstallUtil.exe

pid	process
2044	schtasks.exe

pid	process
1740	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exe

pid	process
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe
2024	DllHelper.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.execmd.exeDllHelper.exe

description	pid	process	target process
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1184 wrote to memory of 2044	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	schtasks.exe
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1184 wrote to memory of 2024	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	DllHelper.exe
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1184 wrote to memory of 1816	1184	dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe	cmd.exe
PID 1816 wrote to memory of 1696	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1696	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1696	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1696	1816	cmd.exe	chcp.com
PID 1816 wrote to memory of 1740	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1740	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1740	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1740	1816	cmd.exe	PING.EXE
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe
PID 2024 wrote to memory of 860	2024	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:2044

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
76.4MB

MD5
59b24b893297981df0b4aa8ff9a9731a

SHA1
376d7230097cc91852710e419bb99d0469c532fa

SHA256
d69d45832b18b41cb637dcfb63a2c1cf0d59cd11748f974bbebfb19a03aa31c0

SHA512
e22b98d7b30cbf6d7425cba0c1b316a5bbbb9ba111b7045ff2e8fd89b70545a30fb1883dd5ea6c674b99e0eade743f2d7f70a5a96e2173e3e3bfefdb59c30d79

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
88.0MB

MD5
0e8ec98c78d5a91e02f7580fbb6ec1a5

SHA1
c17c2004b34e991689870b63a502f55b91a2a226

SHA256
b9812d90aeb2172f456962903c49de817d355c284374a95ec859248e8ce904d7

SHA512
fa21a9287519057c164f1ae71a48bd4e527acb552e653f536b4ce45e363c563532d3a825b2d0e2cb0567bf58bcc0a0ef9cefe8c1bdefe9924a84b296e0e38f54

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
70.1MB

MD5
7b39c3c87fb325892e5e9cb350aab3b2

SHA1
019de63605b7fec2e657629d44546baeccc29291

SHA256
cf43e16a375eb2e8fe4aac756774ea7bfb7e5b492c05175d7bc5983d22657911

SHA512
d067c0a3764c46879d6f5c8cdc7452ca5b24bec2da1b9c7b4de5184fc7f5c01f5862128096906827922fff2cb64e83636ef201175aa39d72b04987dce94f2999

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
79.7MB

MD5
835abe040efafdc9394374accc926f65

SHA1
7a7f52063b3c9158643ad2bd3a126278e04d0cd1

SHA256
975011c36a5fa0f66869ca7b3894ae0b8515ed3057748990210a618cf4bb94c4

SHA512
eda587327f57177c6be865eeaa0be707b034d379bf59cf5f9a4536ff4d6d57b5e682e5c1498799b97d2a16032df13523beb27ae8ba98870257e485b30c950477

Download Submit
memory/860-94-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-88-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-90-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1184-58-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-57-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-64-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-62-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-59-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-61-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-60-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-63-0x0000000002BA0000-0x0000000003139000-memory.dmp

Filesize
5.6MB

Download
memory/1184-56-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-74-0x0000000003140000-0x00000000032A1000-memory.dmp

Filesize
1.4MB

Download
memory/1184-72-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1184-54-0x0000000000290000-0x0000000001051000-memory.dmp

Filesize
13.8MB

Download
memory/1696-76-0x0000000000000000-mapping.dmp

Download
memory/1740-77-0x0000000000000000-mapping.dmp

Download
memory/1816-71-0x0000000000000000-mapping.dmp

Download
memory/2024-73-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-79-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-80-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-81-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-82-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download
memory/2024-85-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download
memory/2024-84-0x000000000DE40000-0x000000000DEB8000-memory.dmp

Filesize
480KB

Download
memory/2024-86-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-87-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-78-0x0000000003040000-0x00000000035D9000-memory.dmp

Filesize
5.6MB

Download
memory/2024-68-0x0000000000000000-mapping.dmp

Download
memory/2024-92-0x0000000000B10000-0x00000000018D1000-memory.dmp

Filesize
13.8MB

Download
memory/2024-93-0x0000000000770000-0x00000000008D1000-memory.dmp

Filesize
1.4MB

Download
memory/2044-65-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads