colibri | 7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b | Triage

Sharing

General

Target

9066728701.zip
Size

8.0MB
Sample

230208-n23b2aaa8w
MD5

21bdb53f7d535eec8a1e162cd7f9139d
SHA1

ba46eaf7ef383411c7a58414599ba0c8c78f2733
SHA256

7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b
SHA512

b7a5981b57df343a0438c032f73172b1ced9a0a496f18868764ac3f3c03a0923595a723a35de863c51fef1e85342ed229e97c4f610f373353e852f6ece096ee1
SSDEEP

196608:u5POTfgfamEKfiZzuDhjU7XG9K5ANMsANurDT8vWJAX:u5POjgCmXfiZzuNiG9tMsANu78P

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Targets

- Target
  
  06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
- Size
  
  8.2MB
- MD5
  
  3945a1aabe76ee6d60ccf79f24ca5487
- SHA1
  
  f524ed975bc76b1f8c1aee43b2a82c766778b3ee
- SHA256
  
  06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
- SHA512
  
  1f7cfde412bda3096bab0696b7b9de709b25d25b741e67140eb68a55b8e821a745f957a9e08aaefd1aa48ffd9bd1e395a615123607f67d0ac3f62c929776794a
- SSDEEP
  
  196608:YBz5EaignhjIfak4XMaiz8qL1HZiC1GnQmf4y:G5fhAanXMt8WRZp17q
Score

10^/10

colibri bot loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

colibribotloader

behavioral2

colibribotloader