MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ColibriLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74
SHA3-384 hash:	1f665336e7d4e532fb8451a0e127f96a2d86ea8ad580042621e6bb0e0c45cbfacf5b8c4877b757ac77452686fd91048b
SHA1 hash:	b769a3eaafef5be2ba76aaf07d086a113456366a
MD5 hash:	a1812daa569e712fc42759a6cf38b2f3
humanhash:	bravo-two-sixteen-venus
File name:	file
Download:	download sample
Signature	ColibriLoader Create hunting rule
File size:	593'416 bytes
First seen:	2022-08-29 22:50:45 UTC
Last seen:	2022-08-29 23:58:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4dbbdaf5e4c08464f8bb0b67aef66086 (2 x ColibriLoader)
ssdeep	6144:32rLzbzbZct2dTJs4vhjhxr+SGc3Wd1dsuv:3inzVctadvhjhxaSHWdIuv
TLSH	T199C42940EE5C0B63B291752EA7D11650A0DCDEA1FBA471B15C2FE322BF7B7482A1D319
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	ColibriLoader exe

andretavare5

Sample downloaded from https://brainstormvc.me/12/TrdngAnr6339.exe

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-08-29 22:51:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/045770d3-c38c-4985-b111-c8388a7a18c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/302349/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.39782.10289.15679.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30797/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bingo overlay packed

Link:

https://www.filescan.io/uploads/630d4357fbf1afa49278a087/reports/fe2c1322-1c5f-405f-9857-94ed3a4648e6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/99b2fb69-29a2-4c07-a4e0-bbd76266c642

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1060174

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74/

Threat name:

Win32.Trojan.Bingo

Status:

Malicious

First seen:

2022-08-29 22:09:53 UTC

File Type:

PE (Exe)

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yotgs5owig5e5fxrhy53d4ro5odfcn3p65au7py466ptl6l2lv2a._file

Result

Malware family:

colibri

Score:

10/10

Tags:

family:colibri botnet:build1 loader miner persistence

Link:

https://tria.ge/reports/220829-2ssywshcd9/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Downloads MZ/PE file

Executes dropped EXE

Detectes Phoenix Miner Payload

Colibri Loader

Malware Config

C2 Extraction:

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Unpacked files

SH256 hash:

c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74

MD5 hash:

a1812daa569e712fc42759a6cf38b2f3

SHA1 hash:

b769a3eaafef5be2ba76aaf07d086a113456366a

Link:

https://www.unpac.me/results/d0fad8d3-bbe9-4936-9e98-e6b8158d481a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c3a66975d641ba4e96f13e3bb1f22eeb8651376ff7414fbf1cf79f35f97a5d74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2277651/

Cape

https://www.capesandbox.com/analysis/302349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample