Analysis
-
max time kernel
105s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
09-02-2023 04:17
General
-
Target
file.exe
-
Size
2.7MB
-
MD5
a98cf7d9ef915f3c3cb16d731eb43ff9
-
SHA1
51110199aae9e5546a8b6e29e62a0a629ab29618
-
SHA256
a3d5c655cfd386f82cae077d2db8b8c5c64eb560260eca223442f678635349f0
-
SHA512
2ad5bf1357ac2a89c78b5f7066b759924cb78a90c5643f93b05c1c0d59b8dc0b860549cfd5fbff3ef65c0c7068c2b64cea425db74afe57071c5245773b881dc8
-
SSDEEP
6144:phdPbOhpdUK5rvyKMdF2Xzw4JttcBDlxdwpfxfBThM9eo1I7u0Kry2wej993RUgV:3tbO5WKeg5fBTy9eo1drf
Score
10/10
Malware Config
Extracted
Family
colibri
Version
1.4.0
Botnet
exploits
C2
http://194.4.49.243/gate.php
rc4.plain
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-60-0x0000000000404E13-mapping.dmp
-
memory/888-61-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/888-59-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/888-58-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/888-56-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/888-55-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/888-62-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/888-63-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1116-54-0x00000000003C0000-0x000000000043C000-memory.dmpFilesize
496KB