colibri | 41b8e7e2d6b226268c3e95dc9ec3f897b60d3bc89daeb743eb585568ff034454

General

Target

mal.exe
Size

489KB
MD5

586a9c5e9e255f1153e3b8af5cc8daa7
SHA1

459cf021625581474a464271d98cd065c1bd4f17
SHA256

41b8e7e2d6b226268c3e95dc9ec3f897b60d3bc89daeb743eb585568ff034454
SHA512

ab0facd667688022d251dca8c1bfb43ddfad7b53609335dec6065e690a57ba4014d2198c56ce3f23b1c24b56c18ed1b58a1d02395bab5f97883e48f7913758c6
SSDEEP

3072:6VkgE+24QtMsYDJ0tqI6tQfX3C0slMpSHHYHbcuqXJIjG9kJjN2yDXuWdCPBnT9B:6VkA2x6tiXUMpGuwIq6tEyDeWWnJF

Score

10^/10

colibri marsstealer build1 default loader stealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Extracted

Family

marsstealer

Botnet

Default

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Executes dropped EXE 2 IoCs

Processes:

conhost.execonhost.exe

pid process

4172 conhost.exe
3692 conhost.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exemal.exe

description pid process target process

PID 4172 set thread context of 3692 4172 conhost.exe conhost.exe
PID 920 set thread context of 2184 920 mal.exe mal.exe

pid	process
4172	conhost.exe
3692	conhost.exe

description	pid	process	target process
PID 4172 set thread context of 3692	4172	conhost.exe	conhost.exe
PID 920 set thread context of 2184	920	mal.exe	mal.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

mal.execonhost.exemal.exemal.exe

description	pid	process	target process
PID 2268 wrote to memory of 4172	2268	mal.exe	conhost.exe
PID 2268 wrote to memory of 4172	2268	mal.exe	conhost.exe
PID 2268 wrote to memory of 4172	2268	mal.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 2268 wrote to memory of 3744	2268	mal.exe	mal.exe
PID 2268 wrote to memory of 3744	2268	mal.exe	mal.exe
PID 2268 wrote to memory of 3744	2268	mal.exe	mal.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 4172 wrote to memory of 3692	4172	conhost.exe	conhost.exe
PID 3744 wrote to memory of 920	3744	mal.exe	mal.exe
PID 3744 wrote to memory of 920	3744	mal.exe	mal.exe
PID 3744 wrote to memory of 920	3744	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe
PID 920 wrote to memory of 2184	920	mal.exe	mal.exe

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4172

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
3⤵
- Executes dropped EXE
PID:3692

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\mal.exe
"C:\Users\Admin\AppData\Local\Temp\mal.exe"
4⤵
PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\ProgramData\conhost.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/920-142-0x0000000000A5B000-0x0000000000A6E000-memory.dmp

Filesize
76KB

Download
memory/920-141-0x0000000000000000-mapping.dmp

Download
memory/2184-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-143-0x0000000000000000-mapping.dmp

Download
memory/2268-134-0x0000000001408000-0x000000000141B000-memory.dmp

Filesize
76KB

Download
memory/3692-137-0x0000000000000000-mapping.dmp

Download
memory/3692-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3692-147-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3744-136-0x0000000000000000-mapping.dmp

Download
memory/3744-140-0x000000000092B000-0x000000000093E000-memory.dmp

Filesize
76KB

Download
memory/4172-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads