colibri | 7fec96b393175e0d05708e9af6b1cd1f1b47d81368e64555fb730ddb3c51927b

General

Target

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
Size

8.2MB
MD5

3945a1aabe76ee6d60ccf79f24ca5487
SHA1

f524ed975bc76b1f8c1aee43b2a82c766778b3ee
SHA256

06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e
SHA512

1f7cfde412bda3096bab0696b7b9de709b25d25b741e67140eb68a55b8e821a745f957a9e08aaefd1aa48ffd9bd1e395a615123607f67d0ac3f62c929776794a
SSDEEP

196608:YBz5EaignhjIfak4XMaiz8qL1HZiC1GnQmf4y:G5fhAanXMt8WRZp17q

Score

10^/10

colibri bot loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	DllHelper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
2668	DllHelper.exe
2668	DllHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1516	2668	DllHelper.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3660	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1444	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe
2668	DllHelper.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	87
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	87
PID 4760 wrote to memory of 3660	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	87
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	89
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	89
PID 4760 wrote to memory of 2668	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	89
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	90
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	90
PID 4760 wrote to memory of 824	4760	06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe	90
PID 824 wrote to memory of 3732	824	cmd.exe	92
PID 824 wrote to memory of 3732	824	cmd.exe	92
PID 824 wrote to memory of 3732	824	cmd.exe	92
PID 824 wrote to memory of 1444	824	cmd.exe	93
PID 824 wrote to memory of 1444	824	cmd.exe	93
PID 824 wrote to memory of 1444	824	cmd.exe	93
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	95
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	95
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	95
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	95
PID 2668 wrote to memory of 1516	2668	DllHelper.exe	95

C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe
"C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3660
- C:\Users\Admin\AppVerif\DllHelper.exe
  "C:\Users\Admin\AppVerif\DllHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\06af62965ce16e6f497c93feb98e9a0e63f7f05853c519ca84de943182da371e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
763.2MB

MD5
3137ab130e997fc7b7351721979cde45

SHA1
5620874578f3af5c3b8bd7df15d21f97e9372b1f

SHA256
5e2aeb2886d59607703851f741311f71d7c35c7e744e76cd53ff6b35d44a767d

SHA512
c7b6dcc5ae3c2d6073c4c4693531a56d4e80bfcaaff92c519d79504297d5d7dba94c7aee70a9467316063ab5d6e79f7d067578606858dec0d85a184a810dc6ec

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe

Filesize
763.2MB

MD5
3137ab130e997fc7b7351721979cde45

SHA1
5620874578f3af5c3b8bd7df15d21f97e9372b1f

SHA256
5e2aeb2886d59607703851f741311f71d7c35c7e744e76cd53ff6b35d44a767d

SHA512
c7b6dcc5ae3c2d6073c4c4693531a56d4e80bfcaaff92c519d79504297d5d7dba94c7aee70a9467316063ab5d6e79f7d067578606858dec0d85a184a810dc6ec

Download Submit
memory/1516-165-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-163-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-161-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1516-159-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2668-157-0x000000000355F000-0x0000000003AF8000-memory.dmp

Filesize
5.6MB

Download
memory/2668-155-0x0000000012840000-0x00000000128B8000-memory.dmp

Filesize
480KB

Download
memory/2668-164-0x0000000003397000-0x00000000034F8000-memory.dmp

Filesize
1.4MB

Download
memory/2668-162-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-156-0x0000000012840000-0x00000000128B8000-memory.dmp

Filesize
480KB

Download
memory/2668-150-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-149-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-152-0x000000000355F000-0x0000000003AF8000-memory.dmp

Filesize
5.6MB

Download
memory/2668-153-0x0000000000450000-0x0000000001209000-memory.dmp

Filesize
13.7MB

Download
memory/2668-154-0x0000000003397000-0x00000000034F8000-memory.dmp

Filesize
1.4MB

Download
memory/4760-144-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-133-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-138-0x0000000003C8C000-0x0000000004225000-memory.dmp

Filesize
5.6MB

Download
memory/4760-135-0x0000000003C8C000-0x0000000004225000-memory.dmp

Filesize
5.6MB

Download
memory/4760-136-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download
memory/4760-137-0x0000000000DD0000-0x0000000001B89000-memory.dmp

Filesize
13.7MB

Download
memory/4760-146-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download
memory/4760-145-0x0000000004235000-0x0000000004396000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads