SYMBOLCOMMON_NAMEaka. SYNONYMS
win.colibri (Back to overview)

Colibri Loader


According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.

References
2022-11-30BitSightAndré Tavares
@online{tavares:20221130:unpacking:a15d3e0, author = {André Tavares}, title = {{Unpacking Colibri Loader: A Russian APT linked Campaign}}, date = {2022-11-30}, organization = {BitSight}, url = {https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign}, language = {English}, urldate = {2022-12-02} } Unpacking Colibri Loader: A Russian APT linked Campaign
Colibri Loader PrivateLoader
2022-09-19Recorded FutureInsikt Group®
@techreport{group:20220919:russianexus:e07ed8e, author = {Insikt Group®}, title = {{Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine}}, date = {2022-09-19}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf}, language = {English}, urldate = {2022-09-26} } Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat
2022-04-05Malwarebytes LabsAnkur Saini, Hossein Jazi, Jérôme Segura
@online{saini:20220405:colibri:ee97c2e, author = {Ankur Saini and Hossein Jazi and Jérôme Segura}, title = {{Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique}}, date = {2022-04-05}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/}, language = {English}, urldate = {2022-06-09} } Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
Colibri Loader Mars Stealer
2022-03-11CloudsekMarah Aboud, Janet Jose, Hansika Saxena
@online{aboud:20220311:indepth:7f4eb47, author = {Marah Aboud and Janet Jose and Hansika Saxena}, title = {{In-depth Technical Analysis of Colibri Loader Malware}}, date = {2022-03-11}, organization = {Cloudsek}, url = {https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/}, language = {English}, urldate = {2022-03-14} } In-depth Technical Analysis of Colibri Loader Malware
Colibri Loader
2022-02-19Github (Casperinous)Casperinous
@online{casperinous:20220219:ida:8fdf71c, author = {Casperinous}, title = {{IDA scripts for analysis of Colibri Loader}}, date = {2022-02-19}, organization = {Github (Casperinous)}, url = {https://github.com/Casperinous/colibri_loader}, language = {English}, urldate = {2022-03-02} } IDA scripts for analysis of Colibri Loader
Colibri Loader
2022-02-13FR3D.HKFR3D.HK
@online{fr3dhk:20220213:colibri:c5fadd3, author = {FR3D.HK}, title = {{Colibri Loader - Back to basics}}, date = {2022-02-13}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/colibri-loader-back-to-basics}, language = {English}, urldate = {2022-03-02} } Colibri Loader - Back to basics
Colibri Loader
Yara Rules
[TLP:WHITE] win_colibri_auto (20230715 | Detects win.colibri.)
rule win_colibri_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.colibri."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b0d???????? 8d144d02000000 8b4de0 e8???????? 5f 8bc6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   8d144d02000000       | lea                 edx, [ecx*2 + 2]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi

        $sequence_1 = { c3 55 8bec 83ec0c 8bd1 c645fc00 57 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   8bd1                 | mov                 edx, ecx
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   57                   | push                edi

        $sequence_2 = { 8d8594fdffff 50 57 6a08 59 }
            // n = 5, score = 100
            //   8d8594fdffff         | lea                 eax, [ebp - 0x26c]
            //   50                   | push                eax
            //   57                   | push                edi
            //   6a08                 | push                8
            //   59                   | pop                 ecx

        $sequence_3 = { ffd0 8d8594fdffff 50 6a04 59 e8???????? ba8fe39437 }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   8d8594fdffff         | lea                 eax, [ebp - 0x26c]
            //   50                   | push                eax
            //   6a04                 | push                4
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   ba8fe39437           | mov                 edx, 0x3794e38f

        $sequence_4 = { 8bec 51 51 8b4d08 8d45f8 8365fc00 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_5 = { e8???????? ba6057d067 8bc8 e8???????? ffd0 c3 55 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ba6057d067           | mov                 edx, 0x67d05760
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_6 = { ffd0 85c0 0f84ce000000 8d8588fbffff 50 ff75f4 8d8570f7ffff }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   0f84ce000000         | je                  0xd4
            //   8d8588fbffff         | lea                 eax, [ebp - 0x478]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8d8570f7ffff         | lea                 eax, [ebp - 0x890]

        $sequence_7 = { e8???????? ffd0 56 6a1c 8d85ecfdffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   56                   | push                esi
            //   6a1c                 | push                0x1c
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]

        $sequence_8 = { 85c0 0f8514010000 a1???????? 8d0c4502000000 e8???????? 83ec10 8945f0 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f8514010000         | jne                 0x11a
            //   a1????????           |                     
            //   8d0c4502000000       | lea                 ecx, [eax*2 + 2]
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_9 = { 8d85e0fbffff 33f6 6804010000 50 }
            // n = 4, score = 100
            //   8d85e0fbffff         | lea                 eax, [ebp - 0x420]
            //   33f6                 | xor                 esi, esi
            //   6804010000           | push                0x104
            //   50                   | push                eax

    condition:
        7 of them and filesize < 51200
}
[TLP:WHITE] win_colibri_w0   (20230118 | Detect_colibri_loader)
rule win_colibri_w0 {
    meta:
	description = "Detect_colibri_loader"
	author = "@malgamy12"
	date = "7/12/2022"
	license = "DRL 1.1"
        hash= "59f5e517dc05a83d35f11c6682934497"
        hash= "7615231dd8463c48f9dc66b67da68f49"
        hash= "7f697936757ced404c2a7515ccfe426b"
        hash= "85c3a80b85fceae0aba419b8b62ff831"
        hash= "f1bbf3a0c6c52953803e5804f4e37b15"
        hash= "7207e37226711374827d0f877b607b0f"
        hash= "7eb0b86bc4725d56c499939ab06212cf"
        hash= "21ec2cac8a3511f6a3d1ade20d5c1e38"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"    
    strings:
        $p1 = {0F B7 06 0F B7 4E ?? 03 D0 8B C2 83 C6 ?? C1 E0 ?? 33 C8 C1 E1 ?? 33 D1 8B C2 C1 E8 ?? 03 D0 83 EB}
        $p2 = {8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 D0 8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 D0 8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 C2}
        $p3 = {33 D2 8B C3 F7 75 ?? 66 8B 04 56 66 33 04 0F 43 66 89 01 8D 49 ?? 3B 5D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules