colibri | 75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e

General

Target

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Size

4.9MB
Sample

241202-2whmbsxkfw
MD5

0f5cabfbc1180b73d7fadd9de190d3d0
SHA1

5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d
SHA256

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e
SHA512

79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Targets

- Target
  
  75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
- Size
  
  4.9MB
- MD5
  
  0f5cabfbc1180b73d7fadd9de190d3d0
- SHA1
  
  5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d
- SHA256
  
  75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e
- SHA512
  
  79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b
- SSDEEP
  
  49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Score

10^/10

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
- Colibri Loader
  A loader sold as MaaS first seen in August 2021.
  loader colibri
- Colibri family
  colibri
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2