koiloader | e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

mysetup.exe

windows7-x64

7

mysetup.exe

windows10-2004-x64

Sharing

General

Target

mysetup.exe
Size

2.2MB
Sample

241129-2fcq5szkdx
MD5

5cb042f9877f5876a19c86ded15fb1f8
SHA1

12249b4e9e8f5a3d66259d9172f8b6d4225812ab
SHA256

e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819
SHA512

f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490
SSDEEP

49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K

Score

10^/10

koiloader discovery execution loader

Static task

static1

Behavioral task

behavioral1

Sample

mysetup.exe

Resource

win7-20240903-en

discovery execution

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

mysetup.exe

Resource

win10v2004-20241007-en

koiloader discovery execution loader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://79.124.78.109/wp-includes/phyllopodan7V7GD.php

exe.dropper

http://79.124.78.109/wp-includes/barasinghaby.ps1

Extracted

Family

koiloader

C2

http://79.124.78.109/flocking.php

Targets

- Target
  
  mysetup.exe
- Size
  
  2.2MB
- MD5
  
  5cb042f9877f5876a19c86ded15fb1f8
- SHA1
  
  12249b4e9e8f5a3d66259d9172f8b6d4225812ab
- SHA256
  
  e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819
- SHA512
  
  f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490
- SSDEEP
  
  49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K
Score

10^/10

discovery execution koiloader loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

koiloaderdiscoveryexecutionloader

© 2018-2025

Terms | Privacy