koiloader | b4e97bbd5a0a4aff04f3573fdde5c34eb3359da547483b9634e91208399bc937 | Triage

Sharing

General

Target

b4e97bbd5a0a4aff04f3573fdde5c34eb3359da547483b9634e91208399bc937.zip
Size

1KB
Sample

241203-nby7pasph1
MD5

edf8a71e473abbaf972c1352bab033f2
SHA1

aabeb63f9b5cdd98e17263afd4322ad2233815eb
SHA256

b4e97bbd5a0a4aff04f3573fdde5c34eb3359da547483b9634e91208399bc937
SHA512

8b9f8f4b8b92f3ed05de95d96413ef6045ca24f1db16133380748b6a7946bfbb3a55691ac7a7be5ce54f6b524b1c34080806ee2c7be790b55daa4e8b3ecea059

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes

payload_url
https://www.italialife24.it/wp-content/uploads/2021/05

Targets

- Target
  
  22_11_2024_stmnt.lnk
- Size
  
  3KB
- MD5
  
  f7f1052c9d09d61490d8f116238af21e
- SHA1
  
  0f2550bb03f31716232de245a02823885f529e09
- SHA256
  
  9ee3acebaae539dc60ea9321cfcf27451f6f05afc80ae7f7a959f76a8d587839
- SHA512
  
  51737afa22f193a892525226575877a0893521ffd3dec18542a7f2b0cdef5807f736ae4458a5cf7f306c8e033fdacea870d9527529172f74cbbdbcde8a646568
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader