koiloader | d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c | Triage

Sharing

General

Target

d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk
Size

3KB
Sample

241203-j4zlpssnbl
MD5

a8adbb0f006cbb7a70d7c2dcb0e2cff6
SHA1

38f9fbf5a68943dc8f265191bb302722afed95d7
SHA256

d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c
SHA512

97686340a9b30c0516f8f7ac76a19a6547a6e407588dca5ac042ac767af0c57560059457e8042ccb2d3a031637d5ebd2d299e14446c6e0768c5cae75c1ae45fb

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes

payload_url
https://www.italialife24.it/wp-content/uploads/2021/05

Targets

- Target
  
  d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c.lnk
- Size
  
  3KB
- MD5
  
  a8adbb0f006cbb7a70d7c2dcb0e2cff6
- SHA1
  
  38f9fbf5a68943dc8f265191bb302722afed95d7
- SHA256
  
  d480330c8ee5ab7fb143c23321531474b736e7cca9abe933da41b2fe2472863c
- SHA512
  
  97686340a9b30c0516f8f7ac76a19a6547a6e407588dca5ac042ac767af0c57560059457e8042ccb2d3a031637d5ebd2d299e14446c6e0768c5cae75c1ae45fb
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader