koiloader | 215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326 | Triage

Sharing

General

Target

215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk
Size

3KB
Sample

241203-j4earssmhn
MD5

34ee898cb6c5ae305685129bd0b02ceb
SHA1

72c04950fa82ea474c945f31dc3e7a32635689ae
SHA256

215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326
SHA512

7bf440741559ffffda909092e32329635eed5a5afd31316f58a4080f8855c57d9399f4b25d6535a490e5c28727586209e3ff7c44c4d2e947c837ab58272b976d

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes

payload_url
https://www.italialife24.it/wp-content/uploads/2021/05

Targets

- Target
  
  215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326.lnk
- Size
  
  3KB
- MD5
  
  34ee898cb6c5ae305685129bd0b02ceb
- SHA1
  
  72c04950fa82ea474c945f31dc3e7a32635689ae
- SHA256
  
  215ff81b6f3a50e48d9f5acfb89f5ea3a1afd59dddbb0666f7ce97a922f60326
- SHA512
  
  7bf440741559ffffda909092e32329635eed5a5afd31316f58a4080f8855c57d9399f4b25d6535a490e5c28727586209e3ff7c44c4d2e947c837ab58272b976d
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader