{
	"id": "ff95ade4-5fb3-44a6-a189-e6e700edfc96",
	"created_at": "2026-04-06T00:19:06.10331Z",
	"updated_at": "2026-04-10T03:20:46.396273Z",
	"deleted_at": null,
	"sha1_hash": "f194da1e60afc0baa5aa5f84932447eaa42c2dd9",
	"title": "In-depth Technical Analysis of Colibri Loader Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 416172,
	"plain_text": "In-depth Technical Analysis of Colibri Loader Malware\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 18:18:29 UTC\r\nOn 27 August 2021, cybersecurity researchers discovered a malware loader dubbed Colibri being sold on an\r\nunderground Russian forum. The actors claim that the loader is stealthy and can be used to target Windows\r\nsystems, to drop other malware onto the infected system. \r\nFeatures of the Colibri loader malware\r\nThe features of the loader, as listed in the advertisement, include the following:\r\nThe loader is written in C/ ASM.\r\nIt works on Windows operating systems including Windows servers.\r\nThe loader does not have dependencies, indicating that the loader works without relying on other entities\r\nfrom the system.\r\nThe loader does not have an IAT (Import Address Table) that contains used WinAPI functions.\r\nColibri loader has only two sections in the PE structure namely the “.text” (code section) and the “.reloc”\r\n(relocation section).\r\nAll the strings in the loader as well as the connection channel between the C2 server and the loader are\r\nencrypted.\r\nThreat actor’s post on the cybercrime forum about the Colibri Malware Loader\r\nThreat actor’s post on the cybercrime forum\r\nTechnical Analysis of Colibri\r\nUnpacking the loader\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 1 of 6\n\nColibri loader comes packed in a trojanized executable file. By using x64dbg (debugger) and putting breakpoints\r\non the function VirtualAlloc we were able to extract the actual payload of the Colibri loader.\r\nPacked sample 74c4f24e9c025d55c4dd8aca8b91fce3\r\nColibri unpacked sample 58FEE16BBEA42A378F4D87D0E8A6F9C8\r\nThe self-modifying code in the malware\r\nBy testing the extracted payload with PEStudio it is evident that the payload has only two sections, .text (Code\r\nSection) and .reloc (Relocation Section). The results of scanning the payload also show the existence of a self-modifying section in the code. This implies that the payload is capable of dynamically resolving other parts of the\r\ncode that are not accessible through static analysis of the payload.\r\nBy running the payload in an IDA debugger we will be able to resolve the self-modifying code section of the\r\npayload.\r\nTwo sections that exist in the payload, besides the self-modifying property\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 2 of 6\n\nThe self-modifying code\r\nDynamically resolved code section\r\nIAT dynamic resolving\r\nTo avoid detection by AVs statically, the payload’s author hashes all WinAPI functions, ignoring the Import\r\nAddress Table (IAT), which aids in recognising the malware’s activity statically. The payload resolves the function\r\nnames dynamically using XOR and Shift operations. After resolving the function name, the address of the\r\nfunction is stored in eax register and a call function is created.\r\nDehashing the function name\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 3 of 6\n\nDehashing the function names\r\nKill itself if there is already a running instance process of it\r\nBefore running on the system, the payload creates a mutex by calling the function CreateMutexW and then tests if\r\nthere is an instance of the payload already running on the infected system. If there is an existing running process\r\nof payload on the system, the payload calls the ExitProcess function and exits the execution. If there is no instance\r\nof the payload running on the system, the payload continues the execution and calls the Sleep function to sleep for\r\n3 seconds as a simple way to evade protection.\r\nCheck the existence of the payload on the system\r\nThe connection with the C2 server\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 4 of 6\n\nTo make the static analysis more difficult and to evade detection, the author of this malware has encrypted all the\r\nstrings. After resolving the function names dynamically and using the debugger, the strings extracted from the\r\npayload will have the following artifacts:\r\nIP address of the C2 server 80.92.205.102\r\nURL with another payload to be downloaded /gate.php\r\nThe payload first initializes the use of WinInet functions by calling InternetOpenW, followed by which it opens\r\nthe HTTP section with the function InternetConnectW. The payload creates an HTTP request by calling the\r\nfunction HttpOpenRequestW under the following parameters:\r\nThe type of request:  /GET\r\nName of the target object:  /gate.php?type=check\u0026uid=59045F4FF04F133112200\r\nHTTP version to be used in the request: HTTP/1.1\r\nAfter this, the payload sends the GET request to the server by calling the function HttpSendRequestW. Then, the\r\npayload calls the function InternetQueryDataAvailable to determine the amount of requested data. Based on the\r\nresults of the previous function calls, the payload reads the data by calling the function InternetReadFile . Our\r\nassumption is that the payload requests the C2 server and downloads another payload on the system.\r\nThe payload calls the function CryptStringToBinary , to decrypt data after downloading the data from the C2\r\nserver, which indicates that the data could be encrypted.\r\nGET request to the C2 server\r\nIndicators of Compromise – Colibri Loader Malware\r\nMD5 74c4f24e9c025d55c4dd8aca8b91fce3 \r\n58FEE16BBEA42A378F4D87D0E8A6F9C8\r\nIP 80.92.205.102\r\nURL\r\n80.92.205.102/gate.php?\r\ntype=check\u0026uid=59045F4FF04F133112200\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 5 of 6\n\nConclusion\r\nColibri loader is a type of malware that is used to load more types of malware into the infected system. This loader\r\nhas multiple techniques that help avoid detection. This includes, omitting the IAT (Import Address Table) along\r\nwith the encrypted strings to make the analysis more difficult. Like any other loader malware, the Colibri can be\r\nused to install information-stealing malware which may result in substantial loss of sensitive information. Thus,\r\nusers should be wary of any unknown files on their systems.\r\nSource: https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nhttps://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/"
	],
	"report_names": [
		"in-depth-technical-analysis-of-colibri-loader-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f194da1e60afc0baa5aa5f84932447eaa42c2dd9.pdf",
		"text": "https://archive.orkl.eu/f194da1e60afc0baa5aa5f84932447eaa42c2dd9.txt",
		"img": "https://archive.orkl.eu/f194da1e60afc0baa5aa5f84932447eaa42c2dd9.jpg"
	}
}