colibri | 7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b

General

Target

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
Size

8.2MB
MD5

3945a1aabe76ee6d60ccf79f24ca5487
SHA1

f524ed975bc76b1f8c1aee43b2a82c766778b3ee
SHA256

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
SHA512

1f7cfde412bda3096bab0696b7b9de709b25d25b741e67140eb68a55b8e821a745f957a9e08aaefd1aa48ffd9bd1e395a615123607f67d0ac3f62c929776794a
SSDEEP

196608:YBz5EaignhjIfak4XMaiz8qL1HZiC1GnQmf4y:G5fhAanXMt8WRZp17q

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

2668 DllHelper.exe

pid	process
2668	DllHelper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exeDllHelper.exe

pid	process
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
2668	DllHelper.exe
2668	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DllHelper.exe

description pid process target process

PID 2668 set thread context of 1516 2668 DllHelper.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3660 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1444 PING.EXE

description	pid	process	target process
PID 2668 set thread context of 1516	2668	DllHelper.exe	InstallUtil.exe

pid	process
3660	schtasks.exe

pid	process
1444	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exeDllHelper.exe

pid	process
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.execmd.exeDllHelper.exe

description	pid	process	target process
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	schtasks.exe
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	DllHelper.exe
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	cmd.exe
PID 824 wrote to memory of 3732	824	cmd.exe	chcp.com
PID 824 wrote to memory of 3732	824	cmd.exe	chcp.com
PID 824 wrote to memory of 3732	824	cmd.exe	chcp.com
PID 824 wrote to memory of 1444	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1444	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1444	824	cmd.exe	PING.EXE
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	InstallUtil.exe
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	InstallUtil.exe
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	InstallUtil.exe
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	InstallUtil.exe
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
"C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:3660

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3732

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
763.2MB

MD5
3137ab130e997fc7b7351721979cde45

SHA1
5620874578f3af5c3b8bd7df15d21f97e9372b1f

SHA256
5e2aeb2886d59607703851f741311f71d7c35c7e744e76cd53ff6b35d44a767d

SHA512
c7b6dcc5ae3c2d6073c4c4693531a56d4e80bfcaaff92c519d79504297d5d7dba94c7aee70a9467316063ab5d6e79f7d067578606858dec0d85a184a810dc6ec

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
763.2MB

MD5
3137ab130e997fc7b7351721979cde45

SHA1
5620874578f3af5c3b8bd7df15d21f97e9372b1f

SHA256
5e2aeb2886d59607703851f741311f71d7c35c7e744e76cd53ff6b35d44a767d

SHA512
c7b6dcc5ae3c2d6073c4c4693531a56d4e80bfcaaff92c519d79504297d5d7dba94c7aee70a9467316063ab5d6e79f7d067578606858dec0d85a184a810dc6ec

Download Submit
memory/824-143-0x0000000000000000-mapping.dmp

Download
memory/1444-148-0x0000000000000000-mapping.dmp

Download
memory/1516-158-0x0000000000000000-mapping.dmp

Download
memory/1516-165-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-163-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-161-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-159-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2668-157-0x000000000355F000-0x0000000003AF8000-memory.dmp

Filesize
5.6MB

Download
memory/2668-155-0x0000000012840000-0x00000000128B8000-memory.dmp

Filesize
480KB

Download
memory/2668-164-0x0000000003397000-0x00000000034F8000-memory.dmp

Filesize
1.4MB

Download
memory/2668-140-0x0000000000000000-mapping.dmp

Download
memory/2668-162-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-156-0x0000000012840000-0x00000000128B8000-memory.dmp

Filesize
480KB

Download
memory/2668-150-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-149-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-152-0x000000000355F000-0x0000000003AF8000-memory.dmp

Filesize
5.6MB

Download
memory/2668-153-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-154-0x0000000003397000-0x00000000034F8000-memory.dmp

Filesize
1.4MB

Download
memory/3660-139-0x0000000000000000-mapping.dmp

Download
memory/3732-147-0x0000000000000000-mapping.dmp

Download
memory/4760-144-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-133-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-138-0x0000000003C8C000-0x0000000004225000-memory.dmp

Filesize
5.6MB

Download
memory/4760-135-0x0000000003C8C000-0x0000000004225000-memory.dmp

Filesize
5.6MB

Download
memory/4760-136-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download
memory/4760-137-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-146-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download
memory/4760-145-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads