Colibri Loader (Malware Family)

Colibri Loader

VTCollection

According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.

References

2022-11-30 ⋅ BitSight ⋅ André Tavares
Unpacking Colibri Loader: A Russian APT linked Campaign
Colibri Loader PrivateLoader

2022-09-19 ⋅ Recorded Future ⋅ Insikt Group®
Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Ave Maria Colibri Loader DCRat

2022-04-05 ⋅ Malwarebytes Labs ⋅ Ankur Saini, Hossein Jazi, Jérôme Segura
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
Colibri Loader Mars Stealer

2022-03-11 ⋅ Cloudsek ⋅ Hansika Saxena, Janet Jose, Marah Aboud
In-depth Technical Analysis of Colibri Loader Malware
Colibri Loader

2022-02-19 ⋅ Github (Casperinous) ⋅ Casperinous
IDA scripts for analysis of Colibri Loader
Colibri Loader

2022-02-13 ⋅ FR3D.HK ⋅ FR3D.HK
Colibri Loader - Back to basics
Colibri Loader

Yara Rules

[TLP:WHITE] win_colibri_auto (20260504 | Detects win.colibri.)

rule win_colibri_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.colibri."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d0c4502000000 e8???????? 89442440 be???????? 8bfc 8bc8 }
            // n = 6, score = 100
            //   8d0c4502000000       | lea                 ecx, [eax*2 + 2]
            //   e8????????           |                     
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   be????????           |                     
            //   8bfc                 | mov                 edi, esp
            //   8bc8                 | mov                 ecx, eax

        $sequence_1 = { ff75f4 6a02 59 e8???????? ba49f6fd69 8bc8 }
            // n = 6, score = 100
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6a02                 | push                2
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   ba49f6fd69           | mov                 edx, 0x69fdf649
            //   8bc8                 | mov                 ecx, eax

        $sequence_2 = { 8b4df0 e8???????? 8bf8 8bcf e8???????? }
            // n = 5, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_3 = { 8902 83c204 8955f8 8b01 85c0 }
            // n = 5, score = 100
            //   8902                 | mov                 dword ptr [edx], eax
            //   83c204               | add                 edx, 4
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   85c0                 | test                eax, eax

        $sequence_4 = { 8b4df8 8d144502000000 e8???????? a1???????? 8b4df4 }
            // n = 5, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8d144502000000       | lea                 edx, [eax*2 + 2]
            //   e8????????           |                     
            //   a1????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_5 = { 8b75f8 85c0 745c 57 8d85ecfdffff }
            // n = 5, score = 100
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   85c0                 | test                eax, eax
            //   745c                 | je                  0x5e
            //   57                   | push                edi
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]

        $sequence_6 = { 8bd8 56 895c2444 53 6a02 59 }
            // n = 6, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   56                   | push                esi
            //   895c2444             | mov                 dword ptr [esp + 0x44], ebx
            //   53                   | push                ebx
            //   6a02                 | push                2
            //   59                   | pop                 ecx

        $sequence_7 = { e8???????? 83c410 b8???????? 68???????? 50 53 8b5dfc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   b8????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]

        $sequence_8 = { 8365f800 50 e8???????? 59 85c0 7413 8b4dfc }
            // n = 7, score = 100
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_9 = { ba5986c991 8bc8 e8???????? ffd0 89442444 eb43 }
            // n = 6, score = 100
            //   ba5986c991           | mov                 edx, 0x91c98659
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   eb43                 | jmp                 0x45

    condition:
        7 of them and filesize < 51200
}

[TLP:WHITE] win_colibri_w0 (20230118 | Detect_colibri_loader)

rule win_colibri_w0 {
    meta:
	description = "Detect_colibri_loader"
	author = "@malgamy12"
	date = "7/12/2022"
	license = "DRL 1.1"
        hash= "59f5e517dc05a83d35f11c6682934497"
        hash= "7615231dd8463c48f9dc66b67da68f49"
        hash= "7f697936757ced404c2a7515ccfe426b"
        hash= "85c3a80b85fceae0aba419b8b62ff831"
        hash= "f1bbf3a0c6c52953803e5804f4e37b15"
        hash= "7207e37226711374827d0f877b607b0f"
        hash= "7eb0b86bc4725d56c499939ab06212cf"
        hash= "21ec2cac8a3511f6a3d1ade20d5c1e38"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"    
    strings:
        $p1 = {0F B7 06 0F B7 4E ?? 03 D0 8B C2 83 C6 ?? C1 E0 ?? 33 C8 C1 E1 ?? 33 D1 8B C2 C1 E8 ?? 03 D0 83 EB}
        $p2 = {8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 D0 8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 D0 8B C2 C1 E0 ?? 33 D0 8B C2 C1 E8 ?? 03 C2}
        $p3 = {33 D2 8B C3 F7 75 ?? 66 8B 04 56 66 33 04 0F 43 66 89 01 8D 49 ?? 3B 5D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}

Download all Yara Rules

Colibri Loader Propose Change

References

Yara Rules

Colibri Loader