koiloader | 02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb | Triage

Sharing

General

Target

02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb.lnk
Size

1KB
Sample

250322-cgw4qszjw3
MD5

202ee916a0113699880cc2e48a73d353
SHA1

85d9b74b2afa5bf0320e746a2871ef614159db2e
SHA256

02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb
SHA512

c729137c2680e98e9686d6a2368e184fc38897032d0d0bf1e1c5a84530cc45208bfc60085be768c027d4ce52b627a7f308458ac5ed480c32289bc5a0d7c0a35e

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://casettalecese.it/wp-content/uploads/2022/10

Extracted

Family

koiloader

C2

http://94.247.42.253/pilot.php

Attributes

payload_url
https://casettalecese.it/wp-content/uploads/2022/10

Targets

- Target
  
  02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb.lnk
- Size
  
  1KB
- MD5
  
  202ee916a0113699880cc2e48a73d353
- SHA1
  
  85d9b74b2afa5bf0320e746a2871ef614159db2e
- SHA256
  
  02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb
- SHA512
  
  c729137c2680e98e9686d6a2368e184fc38897032d0d0bf1e1c5a84530cc45208bfc60085be768c027d4ce52b627a7f308458ac5ed480c32289bc5a0d7c0a35e
Score

10^/10

execution koiloader defense_evasion discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

koiloaderdefense_evasiondiscoveryexecutionloader