koiloader | 6790e20e5f49035e1be6a82cf82a5291a880de3ac7f22ec4a9e15af4984a17e5 | Triage

Sharing

General

Target

6790e20e5f49035e1be6a82cf82a5291a880de3ac7f22ec4a9e15af4984a17e5.zip
Size

1KB
Sample

241203-nbywxsyjgk
MD5

c4e6098a97b7635e3b24319d41c81960
SHA1

2e26d9bf0ea4e7203add29831d264cfb07105a2b
SHA256

6790e20e5f49035e1be6a82cf82a5291a880de3ac7f22ec4a9e15af4984a17e5
SHA512

a6032a22dea84309bcdf6cc91abc39135e8ba8eb7a019de9e0e9b425159ba64da8fa3e266be4c11cf42c24de28789b6bea0b5572daf2330ea25fad94ddac3a68

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/stepPCj5H.php

exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/untrippingvT.ps1

Extracted

Family

koiloader

C2

http://195.123.217.43/oversate.php

Attributes

payload_url
https://www.italialife24.it/wp-content/uploads/2021/05

Targets

- Target
  
  22_11_2024_stmnt.lnk
- Size
  
  3KB
- MD5
  
  ef8150f41db3c25684ff13470182898f
- SHA1
  
  6a10b98d8cd2fb0fa641d282ea30fc196638b8cd
- SHA256
  
  e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b
- SHA512
  
  d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader