colibri | 6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297 | Triage

Sharing

General

Target

file.exe
Size

447KB
Sample

230615-scqddsaa6z
MD5

c6370fd9fec5500a8eb3a0c6a7cb9999
SHA1

ce87cba0d983f1d85e3a65a0351b4b5d15da31b4
SHA256

6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
SHA512

0c73a811203a65e5bdb3c0ff68beb4189d0410b6976331aaf97804d802eec7f31470c0b5d78443546d6ee69e856f9abc671875b3fca83d394e288370e586a774
SSDEEP

6144:bHpSbEF2KIXm7atCYbzMrBsE10PF86tv77exdj0W8+E8INlWZWneknqi7oH:b4bEKWO4YMNmjvaj0MELNlkknqiU

Score

10^/10

colibri bot collection loader

Malware Config

Extracted

Family

colibri

Version

1.4.1

Botnet

bot

C2

http://oraycdn.com/gate.php

rc4.plain

Targets

- Target
  
  file.exe
- Size
  
  447KB
- MD5
  
  c6370fd9fec5500a8eb3a0c6a7cb9999
- SHA1
  
  ce87cba0d983f1d85e3a65a0351b4b5d15da31b4
- SHA256
  
  6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
- SHA512
  
  0c73a811203a65e5bdb3c0ff68beb4189d0410b6976331aaf97804d802eec7f31470c0b5d78443546d6ee69e856f9abc671875b3fca83d394e288370e586a774
- SSDEEP
  
  6144:bHpSbEF2KIXm7atCYbzMrBsE10PF86tv77exdj0W8+E8INlWZWneknqi7oH:b4bEKWO4YMNmjvaj0MELNlkknqiU
Score

10^/10

colibri bot collection loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

colibribotcollectionloader

behavioral2

colibribotcollectionloader