koiloader | 1bf9b7373c85224cd3378b8382e943404add71c6aadc6811ce50f15486d56668[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

1bf9b7373c85224cd3378b8382e943404add71c6aadc6811ce50f15486d56668.exe
Size

40KB
MD5

bd64ec63b75830807bbf03895376713f
SHA1

02357ecf24a0b568a877583165ec192595db22d8
SHA256

1bf9b7373c85224cd3378b8382e943404add71c6aadc6811ce50f15486d56668
SHA512

071ca63c9032d08995ce5a4cc94ecc24a669e51e6087faf18017c1adc3d9378425b5785b079b64fd4dd67f76cf24c4601109f001adabdb2a8ef2d144421aee82
SSDEEP

768:qTOI/KJYsFca5ZGsbNfEIdP1NdNh9um/dBFW7Qk9FLRxbjC+cHLuepvKBWy:qN/KJlFcatbNfEIHNh9JFFk9FP6urWy

Score

10^/10

loader koiloader

Malware Config

Extracted

Family

koiloader

http://79.124.78.127/enjambment.php

Attributes

payload_url
https://lodovicicostruzioni.com/wp-content/uploads/2018/08

Signatures

Detects KoiLoader payload 1 IoCs

loader

resource	yara_rule
sample	family_koi_loader

Koiloader family
koiloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1bf9b7373c85224cd3378b8382e943404add71c6aadc6811ce50f15486d56668.exe

Files

1bf9b7373c85224cd3378b8382e943404add71c6aadc6811ce50f15486d56668.exe
.exe windows:6 windows x86 arch:x86

76ccaa34cdbb1717c51923cfa04589e7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wininet

InternetQueryOptionW
InternetQueryDataAvailable
InternetOpenW
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
InternetSetOptionW
InternetReadFile
HttpOpenRequestW

shlwapi

wnsprintfA
PathCombineW
wnsprintfW
StrStrIW
StrToIntA
StrCmpNIA
StrStrW
StrCmpIW
StrNCatW

urlmon

ObtainUserAgentString

ntdll

NtQueryInformationProcess
NtClose
RtlInitUnicodeString

ws2_32

recv
htons
closesocket
select
inet_pton
WSAStartup
connect
socket
send

netapi32

NetApiBufferFree
NetUserGetInfo

kernel32

MultiByteToWideChar
GetFileAttributesW
GetUserDefaultLangID
GetCurrentProcessId
GetWindowsDirectoryW
OpenProcess
VirtualAlloc
lstrcmpW
lstrcpyW
GlobalMemoryStatusEx
GetComputerNameW
ExitProcess
CreateThread
GetLastError
GetTickCount64
Sleep
GetSystemWow64DirectoryW
SetFileAttributesW
GetModuleHandleA
GetSystemDirectoryW
FindClose
CreateMutexW
GetTickCount
ReadFile
WriteFile
GetTempPathW
CreateFileW
GetFileAttributesExW
DeleteFileW
CloseHandle
GetFileSize
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
WriteProcessMemory
GetCurrentProcess
CreatePipe
SetFilePointer
SetEndOfFile
PeekNamedPipe
WaitForSingleObject
lstrcmpA
ResumeThread
LoadLibraryA
VirtualProtectEx
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
SetThreadContext
FlushFileBuffers
WideCharToMultiByte
GetVolumeInformationW
FindFirstFileW
EnterCriticalSection
FindNextFileW
lstrlenW
ExpandEnvironmentStringsW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection

user32

EnumDisplayDevicesW
wsprintfA
wsprintfW

advapi32

RegQueryValueExW
CryptAcquireContextA
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
GetUserNameW
InitiateSystemShutdownExW
RegCloseKey
RegOpenKeyExW
CryptGenRandom
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetObject
StringFromGUID2

oleaut32

SysFreeString
SysAllocString
VariantClear
VariantInit

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

76ccaa34cdbb1717c51923cfa04589e7

Headers

DLL Characteristics

File Characteristics

Imports

wininet

shlwapi

urlmon

ntdll

ws2_32

netapi32

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 34KB - Virtual size: 33KB

.data Size: 512B - Virtual size: 3KB

.idata Size: 3KB - Virtual size: 3KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 34KB - Virtual size: 33KB

.data
Size: 512B - Virtual size: 3KB

.idata
Size: 3KB - Virtual size: 3KB

.reloc
Size: 1KB - Virtual size: 1KB