koiloader | a6bda80c9f914fb5b640d3437c264993b49a91d997562d53f5ba8d32ac979ec1 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

r6eac11b8-...2ar.js

windows7-x64

r6eac11b8-...2ar.js

windows10-2004-x64

Sharing

General

Target

r6eac11b8-35d6-bffe-da50-d9e1a5ae832ar.js
Size

1KB
Sample

250128-qwrdpasrhr
MD5

efcc96851f4724909616b5f3ec81cf79
SHA1

783d14e21e058733ef6cc6ca1e934bcf2533d134
SHA256

a6bda80c9f914fb5b640d3437c264993b49a91d997562d53f5ba8d32ac979ec1
SHA512

c4f152a2caad73ed9a50df2394b59749b6aed00b3135289881c730b9d9d7ec6d34f0fd51e8785ee32da0e2e1b5da3c6b896743b13941d4496c930138e6065e44

Score

10^/10

koiloader discovery execution loader

Static task

static1

Behavioral task

behavioral1

Sample

r6eac11b8-35d6-bffe-da50-d9e1a5ae832ar.js

Resource

win7-20240903-en

discovery execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

r6eac11b8-35d6-bffe-da50-d9e1a5ae832ar.js

Resource

win10v2004-20241007-en

koiloader discovery execution loader

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://79.124.78.109/wp-includes/phyllopodan7V7GD.php

exe.dropper

http://79.124.78.109/wp-includes/barasinghaby.ps1

Extracted

Family

koiloader

C2

http://79.124.78.109/flocking.php

Targets

- Target
  
  r6eac11b8-35d6-bffe-da50-d9e1a5ae832ar.js
- Size
  
  1KB
- MD5
  
  efcc96851f4724909616b5f3ec81cf79
- SHA1
  
  783d14e21e058733ef6cc6ca1e934bcf2533d134
- SHA256
  
  a6bda80c9f914fb5b640d3437c264993b49a91d997562d53f5ba8d32ac979ec1
- SHA512
  
  c4f152a2caad73ed9a50df2394b59749b6aed00b3135289881c730b9d9d7ec6d34f0fd51e8785ee32da0e2e1b5da3c6b896743b13941d4496c930138e6065e44
Score

10^/10

discovery execution koiloader loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

koiloaderdiscoveryexecutionloader

© 2018-2025

Terms | Privacy