General

  • Target

    b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe

  • Size

    4.9MB

  • Sample

    241116-nr678swckg

  • MD5

    e5c7c10f2b2e9aae378722a84cf0f1ac

  • SHA1

    7074fb2e95c3f318276e416d19591cd97b9aa493

  • SHA256

    b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce

  • SHA512

    3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8c:c

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Targets

    • Target

      b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe

    • Size

      4.9MB

    • MD5

      e5c7c10f2b2e9aae378722a84cf0f1ac

    • SHA1

      7074fb2e95c3f318276e416d19591cd97b9aa493

    • SHA256

      b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce

    • SHA512

      3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490

    • SSDEEP

      49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8c:c

    • Colibri Loader

      A loader sold as MaaS first seen in August 2021.

    • Colibri family

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks