koiloader | e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b | Triage

Sharing

General

Target

e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk
Size

3KB
Sample

241203-j4zlpswrez
MD5

ef8150f41db3c25684ff13470182898f
SHA1

6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
SHA256

e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
SHA512

d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes

payload_url
https://www.italialife24.it/wp-content/uploads/2021/05

Targets

- Target
  
  e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b.lnk
- Size
  
  3KB
- MD5
  
  ef8150f41db3c25684ff13470182898f
- SHA1
  
  6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
- SHA256
  
  e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
- SHA512
  
  d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader