colibri | a3d5c655cfd386f82cae077d2db8b8c5c64eb560260eca223442f678635349f0 | Triage

Sharing

General

Target

file.exe
Size

2.7MB
Sample

230209-ewffmsbg32
MD5

a98cf7d9ef915f3c3cb16d731eb43ff9
SHA1

51110199aae9e5546a8b6e29e62a0a629ab29618
SHA256

a3d5c655cfd386f82cae077d2db8b8c5c64eb560260eca223442f678635349f0
SHA512

2ad5bf1357ac2a89c78b5f7066b759924cb78a90c5643f93b05c1c0d59b8dc0b860549cfd5fbff3ef65c0c7068c2b64cea425db74afe57071c5245773b881dc8
SSDEEP

6144:phdPbOhpdUK5rvyKMdF2Xzw4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej993RUgV:3tbO5WKeg5fBTy9eo1drf

Score

10^/10

colibri exploits loader

Malware Config

Extracted

Family

colibri

Version

1.4.0

Botnet

exploits

C2

http://194.4.49.243/gate.php

rc4.plain

Targets

- Target
  
  file.exe
- Size
  
  2.7MB
- MD5
  
  a98cf7d9ef915f3c3cb16d731eb43ff9
- SHA1
  
  51110199aae9e5546a8b6e29e62a0a629ab29618
- SHA256
  
  a3d5c655cfd386f82cae077d2db8b8c5c64eb560260eca223442f678635349f0
- SHA512
  
  2ad5bf1357ac2a89c78b5f7066b759924cb78a90c5643f93b05c1c0d59b8dc0b860549cfd5fbff3ef65c0c7068c2b64cea425db74afe57071c5245773b881dc8
- SSDEEP
  
  6144:phdPbOhpdUK5rvyKMdF2Xzw4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej993RUgV:3tbO5WKeg5fBTy9eo1drf
Score

10^/10

colibri exploits loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

colibriexploitsloader

behavioral2

colibriexploitsloader

behavioral3

colibriexploitsloader