Extracted

Extracted

• • Target

    invoice.xll

  • Size

    597KB

  • MD5

    d9efc163b90630251fb7ff7c822e8f0f

  • SHA1

    9e09cce65d2371bc95e213a9007337933b11c3f9

  • SHA256

    6e68bcd52321a8d0443d5c5d6131410c07ef44a8cb3388550f78a3dea303e840

  • SHA512

    33bef8014ce017591e79e7642ab3d0c48306cb1b98b254c9a0aa4aa07f1ddce696ddfb4e89e0d230d7f2ae535db58a133797280bfd26d41c69588e396a3a5031

  • SSDEEP

    12288:xn/zDvGHAykHSzLW/4+8bzbBSreMdbYkBkgFK/UqW:lzbGHAzHAjX1IqcL

  Score

  10^/10

  colibriexploitsloader

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2