colibri | 91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8 | Triage

Submit
Reports

Overview

overview

Static

static

1

5779722125.exe

windows7-x64

5779722125.exe

windows10-2004-x64

Sharing

General

Target

5779722125.exe
Size

5.7MB
Sample

230412-paa9xade8y
MD5

44e4646b76a889c2115bdacc6e63ba2a
SHA1

efe7c1dae715922ff19121ff4f0e97ca904ee536
SHA256

91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8
SHA512

b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d
SSDEEP

1536:gpyA0Sdf7CwS+1iSpyOVvBkHA/BGGG/DoFVuZB3ZnMALr/pQZw3MIeqVz1iU80hy:gQcYyOx2TsuVxt11oPvZBhYU2

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

5779722125.exe

Resource

win7-20230220-en

dcrat evasion infostealer rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

5779722125.exe

Resource

win10v2004-20230220-en

colibri build1 evasion loader trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Targets

- Target
  
  5779722125.exe
- Size
  
  5.7MB
- MD5
  
  44e4646b76a889c2115bdacc6e63ba2a
- SHA1
  
  efe7c1dae715922ff19121ff4f0e97ca904ee536
- SHA256
  
  91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8
- SHA512
  
  b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d
- SSDEEP
  
  1536:gpyA0Sdf7CwS+1iSpyOVvBkHA/BGGG/DoFVuZB3ZnMALr/pQZw3MIeqVz1iU80hy:gQcYyOx2TsuVxt11oPvZBhYU2
Score

10^/10

dcrat evasion infostealer rat trojan colibri build1 loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

dcratevasioninfostealerrattrojan

behavioral2

colibribuild1evasionloadertrojan

© 2018-2024

Terms | Privacy