General
-
Target
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
-
Size
4.9MB
-
Sample
241116-nr678swckg
-
MD5
e5c7c10f2b2e9aae378722a84cf0f1ac
-
SHA1
7074fb2e95c3f318276e416d19591cd97b9aa493
-
SHA256
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce
-
SHA512
3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8c:c
Static task
static1
Behavioral task
behavioral1
Sample
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
Resource
win7-20240903-en
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce.exe
-
Size
4.9MB
-
MD5
e5c7c10f2b2e9aae378722a84cf0f1ac
-
SHA1
7074fb2e95c3f318276e416d19591cd97b9aa493
-
SHA256
b7d111b581e64a16e87913b8c7c2694e3db8ff5e967e633a6914894fa24c50ce
-
SHA512
3782809b71de3b67934d02c5d9af5d1a9ae9f0d284bef7f2e151014d1f4485e6764f577de4588f8d1f9d1e58054620f61942a0be2e2f2d6a23d2a8f65d301490
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8c:c
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2