Overview

overview

10

Static

static

1

win10

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wells_fargo_statement.lnk

  • Size

    2KB

  • Sample

    240524-wplgraee79

  • MD5

    17b5bc02890b72e8c438da653880f57e

  • SHA1

    133b89d4737e8821a3e8a6254936b19561b1cbe1

  • SHA256

    6be65b07c98affa804a965187dafb49078cec03bc6f8a772e330d1a0fb05c101

  • SHA512

    19053344692d6275345040c27d5a3abfaf8284902c7ae2d2ddee37d7bb883cebe27bf66fb85f93e416be65afcbd9ae2b9bde66966c1036402a0315508bf2164a

Score
10/10
koiloaderexecutionloader

Malware Config

Extracted

Family

koiloader

C2

http://79.124.78.45/hockamore.php

Attributes
  • payload_url

    https://rdccob.com.br/wp-content/uploads/2021

Targets

    • Target

      wells_fargo_statement.lnk

    • Size

      2KB

    • MD5

      17b5bc02890b72e8c438da653880f57e

    • SHA1

      133b89d4737e8821a3e8a6254936b19561b1cbe1

    • SHA256

      6be65b07c98affa804a965187dafb49078cec03bc6f8a772e330d1a0fb05c101

    • SHA512

      19053344692d6275345040c27d5a3abfaf8284902c7ae2d2ddee37d7bb883cebe27bf66fb85f93e416be65afcbd9ae2b9bde66966c1036402a0315508bf2164a

    Score
    10/10
    koiloaderexecutionloader

    • KoiLoader

      KoiLoader is a malware loader written in C++.

      loaderkoiloader

    • Detects KoiLoader payload

      loader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

JavaScript

1
T1059.007

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks