colibri | 7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b

General

Target

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
Size

8.2MB
MD5

3945a1aabe76ee6d60ccf79f24ca5487
SHA1

f524ed975bc76b1f8c1aee43b2a82c766778b3ee
SHA256

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
SHA512

1f7cfde412bda3096bab0696b7b9de709b25d25b741e67140eb68a55b8e821a745f957a9e08aaefd1aa48ffd9bd1e395a615123607f67d0ac3f62c929776794a
SSDEEP

196608:YBz5EaignhjIfak4XMaiz8qL1HZiC1GnQmf4y:G5fhAanXMt8WRZp17q

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1284 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

468 DllHelper.exe

pid	process
1284	cmd.exe

pid	process
468	DllHelper.exe

Loads dropped DLL 2 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

pid	process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exeDllHelper.exe

pid	process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
468	DllHelper.exe
468	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 468 set thread context of 1648 468 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1504 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2020 PING.EXE

description	pid	process	target process
PID 468 set thread context of 1648	468	DllHelper.exe	InstallUtil.exe

pid	process
1504	schtasks.exe

pid	process
2020	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exeDllHelper.exe

pid	process
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe
468	DllHelper.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.execmd.exeDllHelper.exe

description	pid	process	target process
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 1208 wrote to memory of 1504	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 1208 wrote to memory of 468	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 1208 wrote to memory of 1284	1208	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 1284 wrote to memory of 1652	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 1652	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 1652	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 1652	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 2020	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 2020	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 2020	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 2020	1284	cmd.exe	PING.EXE
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1760	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe
PID 468 wrote to memory of 1648	468	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
"C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:1504

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1652

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
507.3MB

MD5
88cca7df20d1b1767ef14e62813966b1

SHA1
553792282a5431bdd5e02ee97eee79b5329de084

SHA256
5b3055d3f9b2bb7835c29751062f18ad044291fe3d3b6aa7639c8f358396182c

SHA512
2dd99c52d16cc35e8377ba2bc4de83b6b9c10358e1d7427f687da0732fdbee9ddcb326c736c3ba2c4b92ae6e0fac4dc0750638d07ffec1bfb2e96890a498f36e

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
447.2MB

MD5
ea7f8fe76d3dff6b29e0e755afd1c73e

SHA1
93c75531d56eeb4a81c35199886cd30d028b3102

SHA256
07ed198dcc845e109409acff9cc074518399fab5e378cfc51021ce1e94b40e1e

SHA512
54ca40b41ca67517ca47ed2dcec83ecbf4874a43e8fd8c759ae124bea064ed837c65a1225f6dcee91bbb7e20db26629978969f43d45e07bf896c0f8a031c95c9

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
462.1MB

MD5
40bb0bf74e0879b7be641b7815235534

SHA1
1c33323c990708472165365de436fbf0d59a87e4

SHA256
08dd6b00a9c56893d6d8a1c24cd7aa82656bed402490589685b78634e049c3e0

SHA512
27d1dbbe8b4288deb9cf43fdfdce98dc80f58acc1d199c6f8f8fbff4a0cce948c0859dc6ff07edb288d51025e33d90ce907853cd65b76dd94349b183765c3572

Download Submit
\Users\Admin\AppVerif\DllHelper.exe
Filesize
505.6MB

MD5
c2b1df931ce3d9e93093f35f2c7d36fd

SHA1
238c9c3f850129e2a7864402506da1d1520d6ead

SHA256
10c2d6775ad13be5a5674cc451775ba6ecbf1d486e35ecd4ccde64da313d6c29

SHA512
38f3aef27aa6732e87f74885138263a42ae196e4e9f3b1c97d542954d86db6d7f9ea054a17cc934bbb2067b813bc878769ea05d65fccda8664815df5bd98194e

Download Submit
memory/468-81-0x0000000002DC0000-0x0000000003359000-memory.dmp

Filesize
5.6MB

Download
memory/468-72-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/468-92-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-91-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/468-86-0x00000000013C0000-0x0000000001438000-memory.dmp

Filesize
480KB

Download
memory/468-85-0x00000000013C0000-0x0000000001438000-memory.dmp

Filesize
480KB

Download
memory/468-84-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-82-0x0000000003360000-0x00000000034C1000-memory.dmp

Filesize
1.4MB

Download
memory/468-80-0x0000000002DC0000-0x0000000003359000-memory.dmp

Filesize
5.6MB

Download
memory/468-68-0x0000000000000000-mapping.dmp

Download
memory/468-74-0x0000000000310000-0x00000000010C9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-58-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-54-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-61-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1208-57-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-62-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-77-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-63-0x0000000002C40000-0x00000000031D9000-memory.dmp

Filesize
5.6MB

Download
memory/1208-78-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-60-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-56-0x0000000000320000-0x00000000010D9000-memory.dmp

Filesize
13.7MB

Download
memory/1208-59-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1208-65-0x00000000031E0000-0x0000000003341000-memory.dmp

Filesize
1.4MB

Download
memory/1284-71-0x0000000000000000-mapping.dmp

Download
memory/1504-64-0x0000000000000000-mapping.dmp

Download
memory/1648-87-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1648-89-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1648-93-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/2020-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads