Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-02-2023 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    384KB

  • MD5

    be6ead5fba6e45225d2c869c593c091e

  • SHA1

    51b1f2a3ba54d0f675694831a7c9c509093c3399

  • SHA256

    72ffef4d565a07136b07f1c8c4518f159c0d3afdfae4e7736963f17eb35b0b59

  • SHA512

    32e0cfe77acf48e76c01ce50115a6288f2e5f1bb57532f96fced385aa5025fcd4d8b29ae83a0d06cbfb27aee3b58aa9cbedf86e68196c205e1c2e562ee213147

  • SSDEEP

    6144:XiexrddlUFwKfSO2pKvYc9/5aLiqoKDv:XdTlmsQYcl0Jr

Score
10/10
colibrirhadamanthysgooglecollectionloaderstealer

Malware Config

Extracted

Family

colibri

Version

1.4.0

Botnet

Google

C2

http://wqfegrbjiskfmas.top/gate.php

http://interferenceatmobile.xyz/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Detect rhadamanthys stealer shellcode 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\system32\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • outlook_office_path
      • outlook_win_path
      PID:1504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 700
      2⤵
      • Program crash
      PID:1572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2208 -ip 2208
    1⤵
      PID:3136
    • C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe"
      1⤵
      • Executes dropped EXE
      PID:3884

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe
      Filesize

      877KB

      MD5

      5fd30bde601c8d7b3d1486650d44f7cf

      SHA1

      86578f815e67293885878be187d61ed7f1fa573e

      SHA256

      207ccbaf358bed54df98aed79b7a7ed243392b550f5d5bf4d1a72ca7fbe56c52

      SHA512

      6bb7e60af4bf5a58054c42534967caf1c3f6652ec658741a52f3ed153e27717f6cec0df34daee2e76bb6d7358b6f40679b4a2d96ff974eb8b5eeae618be7e97b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe
      Filesize

      877KB

      MD5

      5fd30bde601c8d7b3d1486650d44f7cf

      SHA1

      86578f815e67293885878be187d61ed7f1fa573e

      SHA256

      207ccbaf358bed54df98aed79b7a7ed243392b550f5d5bf4d1a72ca7fbe56c52

      SHA512

      6bb7e60af4bf5a58054c42534967caf1c3f6652ec658741a52f3ed153e27717f6cec0df34daee2e76bb6d7358b6f40679b4a2d96ff974eb8b5eeae618be7e97b

      Download Submit

    • memory/1504-151-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-149-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-156-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-152-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-142-0x00000285473D0000-0x00000285473D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1504-150-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-144-0x00000285474F0000-0x00000285474F7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1504-145-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1504-146-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/2208-147-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2208-148-0x0000000002310000-0x000000000232C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2208-139-0x0000000002310000-0x000000000232C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2208-143-0x0000000002360000-0x0000000002362000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2208-134-0x00000000022E0000-0x000000000230E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2208-141-0x0000000002310000-0x000000000232C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2208-138-0x0000000002310000-0x000000000232C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2208-135-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2208-140-0x0000000002330000-0x000000000234A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3884-157-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3884-158-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download