colibri | 7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
Size

8.2MB
MD5

3945a1aabe76ee6d60ccf79f24ca5487
SHA1

f524ed975bc76b1f8c1aee43b2a82c766778b3ee
SHA256

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
SHA512

1f7cfde412bda3096bab0696b7b9de709b25d25b741e67140eb68a55b8e821a745f957a9e08aaefd1aa48ffd9bd1e395a615123607f67d0ac3f62c929776794a
SSDEEP

196608:YBz5EaignhjIfak4XMaiz8qL1HZiC1GnQmf4y:G5fhAanXMt8WRZp17q

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Deletes itself 1 IoCs

pid	Process
1284	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
468	DllHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
468	DllHelper.exe
468	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 1648	468	DllHelper.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1504	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2020	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	28
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	28
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	28
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	28
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	30
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	30
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	30
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	30
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	31
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	31
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	31
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	31
PID 1284 wrote to memory of 1652	1284	cmd.exe	33
PID 1284 wrote to memory of 1652	1284	cmd.exe	33
PID 1284 wrote to memory of 1652	1284	cmd.exe	33
PID 1284 wrote to memory of 1652	1284	cmd.exe	33
PID 1284 wrote to memory of 2020	1284	cmd.exe	34
PID 1284 wrote to memory of 2020	1284	cmd.exe	34
PID 1284 wrote to memory of 2020	1284	cmd.exe	34
PID 1284 wrote to memory of 2020	1284	cmd.exe	34
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1760	468	DllHelper.exe	35
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36
PID 468 wrote to memory of 1648	468	DllHelper.exe	36

C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
"C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1504
- C:\Users\Admin\AppVerif\DllHelper.exe
  "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
507.3MB

MD5
88cca7df20d1b1767ef14e62813966b1

SHA1
553792282a5431bdd5e02ee97eee79b5329de084

SHA256
5b3055d3f9b2bb7835c29751062f18ad044291fe3d3b6aa7639c8f358396182c

SHA512
2dd99c52d16cc35e8377ba2bc4de83b6b9c10358e1d7427f687da0732fdbee9ddcb326c736c3ba2c4b92ae6e0fac4dc0750638d07ffec1bfb2e96890a498f36e

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
447.2MB

MD5
ea7f8fe76d3dff6b29e0e755afd1c73e

SHA1
93c75531d56eeb4a81c35199886cd30d028b3102

SHA256
07ed198dcc845e109409acff9cc074518399fab5e378cfc51021ce1e94b40e1e

SHA512
54ca40b41ca67517ca47ed2dcec83ecbf4874a43e8fd8c759ae124bea064ed837c65a1225f6dcee91bbb7e20db26629978969f43d45e07bf896c0f8a031c95c9

Download Submit
\Users\Admin\AppVerif\DllHelper.exe

Filesize
462.1MB

MD5
40bb0bf74e0879b7be641b7815235534

SHA1
1c33323c990708472165365de436fbf0d59a87e4

SHA256
08dd6b00a9c56893d6d8a1c24cd7aa82656bed402490589685b78634e049c3e0

SHA512
27d1dbbe8b4288deb9cf43fdfdce98dc80f58acc1d199c6f8f8fbff4a0cce948c0859dc6ff07edb288d51025e33d90ce907853cd65b76dd94349b183765c3572

Download Submit
\Users\Admin\AppVerif\DllHelper.exe

Filesize
505.6MB

MD5
c2b1df931ce3d9e93093f35f2c7d36fd

SHA1
238c9c3f850129e2a7864402506da1d1520d6ead

SHA256
10c2d6775ad13be5a5674cc451775ba6ecbf1d486e35ecd4ccde64da313d6c29

SHA512
38f3aef27aa6732e87f74885138263a42ae196e4e9f3b1c97d542954d86db6d7f9ea054a17cc934bbb2067b813bc878769ea05d65fccda8664815df5bd98194e

Download Submit
memory/468-81-0x0000000002DC0000-0x0000000003359000-memory.dmp

Filesize
5.6MB

Download
memory/468-72-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/468-92-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-91-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/468-86-0x00000000013C0000-0x0000000001438000-memory.dmp

Filesize
480KB

Download
memory/468-85-0x00000000013C0000-0x0000000001438000-memory.dmp

Filesize
480KB

Download
memory/468-84-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-82-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-80-0x0000000002DC0000-0x0000000003359000-memory.dmp

Filesize
5.6MB

Download
memory/468-74-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-58-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-54-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-61-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1208-57-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-62-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-77-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-63-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-78-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-60-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-56-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-59-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-65-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1648-87-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1648-89-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1648-93-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download