General
-
Target
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
-
Size
4.9MB
-
Sample
241125-p31ehaxlhx
-
MD5
d6c32cc92aff05247e665fec5d1ca5ed
-
SHA1
864e040db2c99477669bbe45261d8d93ebdba021
-
SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
-
SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2
Static task
static1
Behavioral task
behavioral1
Sample
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Resource
win7-20240903-en
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
-
Size
4.9MB
-
MD5
d6c32cc92aff05247e665fec5d1ca5ed
-
SHA1
864e040db2c99477669bbe45261d8d93ebdba021
-
SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
-
SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2