koiloader | 1f9c3f5647f440d34b15d29d7c0e973a31496c84a7cc1cc293267a8fe45b14f5 | Triage

Sharing

General

Target

21613327346.zip
Size

989B
Sample

250304-kdaqbswmv3
MD5

9fa2b747b3be5d9d9f85710035c7a4d4
SHA1

9e2bb0fa917261e214e8df4c0dbe9a5f6733e6f8
SHA256

1f9c3f5647f440d34b15d29d7c0e973a31496c84a7cc1cc293267a8fe45b14f5
SHA512

e3446157f22173b2164b5a69d8dc076fd026725ed2edb7ec7a815767eb4d147b908ea1195a360d5b1bcad300d009a6ce3d69f39d43d1a7d4b6995d37212b6b71

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://www.centralelatterieti.com/wp-content/uploads/2020/obviation3S0.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.centralelatterieti.com/wp-content/uploads/2020/dazementxdy7.php

exe.dropper

https://www.centralelatterieti.com/wp-content/uploads/2020/subgularExtK.ps1

Extracted

Family

koiloader

C2

http://178.17.170.209/overglass.php

Attributes

payload_url
https://www.centralelatterieti.com/wp-content/uploads/2020

Targets

- Target
  
  7d7319a069e4ce6453f554bd52c6103db586c3615e8f1bbc59748b11b2c9a926
- Size
  
  1KB
- MD5
  
  4faa35703e3c7a20143562b271ceca2f
- SHA1
  
  2d87ff75eb532029ab63ed68971471589f28a847
- SHA256
  
  7d7319a069e4ce6453f554bd52c6103db586c3615e8f1bbc59748b11b2c9a926
- SHA512
  
  ab0659b71b2a6593a288d1fe869f3615dea4eb3684df62670f1bfb38b342a8a529fa933ee78743aa162d474ffaad7b9e381f6c3186d2bed798fb27f3bfa09133
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader