koiloader | 6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e.exe
Size

41KB
MD5

3c5d5cd7b5e48090591184ef497a98b0
SHA1

f9a9771d1e0c12735dc037725fe07e56a75ee86a
SHA256

6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e
SHA512

8b404ab73c039db36fc323295455366ea5373811324fae4cdc266d9b47f5336c1bcaf1be9aa36a3a561fe297a2f778f5a3c34a2659b19a0cfb915d58e4825a22
SSDEEP

768:6TOI/K4hMkjIHltfWsJNvWb4WFdXh9gtHVgEAB9Fb5Sfzt4SfdQMYLe3hfKXe:6N/KzCIHpJNvWbDXh9hd9F+40dQXe3hz

Score

10^/10

loader koiloader

Malware Config

Extracted

Family

koiloader

http://94.247.42.253/pilot.php

Attributes

payload_url
https://casettalecese.it/wp-content/uploads/2022/10

Signatures

Detects KoiLoader payload 1 IoCs

loader

resource	yara_rule
sample	family_koi_loader

Koiloader family
koiloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e.exe

Files

6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e.exe
.exe windows:6 windows x86 arch:x86

2268c03c1dd3ecd71f7dd192e3e3ce63

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wininet

InternetQueryOptionW
InternetQueryDataAvailable
HttpOpenRequestW
InternetOpenW
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
InternetSetOptionW
InternetReadFile

shlwapi

wnsprintfA
PathCombineW
wnsprintfW
StrStrIW
StrToIntA
StrCmpNIA
StrStrW
StrCmpIW
StrNCatW

urlmon

ObtainUserAgentString

ntdll

RtlInitUnicodeString
NtQueryInformationProcess
NtClose

ws2_32

connect
recv
htons
closesocket
select
inet_pton
WSAStartup
socket
send

netapi32

NetApiBufferFree
NetUserGetInfo

kernel32

WideCharToMultiByte
GetFileAttributesW
GetUserDefaultLangID
GetCurrentProcessId
GetWindowsDirectoryW
OpenProcess
VirtualAlloc
lstrcmpW
lstrcpyW
GlobalMemoryStatusEx
GetComputerNameW
ExitProcess
CreateThread
GetLastError
GetTickCount64
Sleep
GetSystemWow64DirectoryW
SetFileAttributesW
GetModuleHandleA
GetSystemDirectoryW
FindClose
CreateMutexW
GetTickCount
ReadFile
WriteFile
GetTempPathW
CreateFileW
GetFileAttributesExW
DeleteFileW
CloseHandle
GetFileSize
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
WriteProcessMemory
GetCurrentProcess
CreatePipe
SetFilePointer
SetEndOfFile
PeekNamedPipe
WaitForSingleObject
lstrcmpA
ResumeThread
LoadLibraryA
VirtualProtectEx
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
SetThreadContext
FlushFileBuffers
MultiByteToWideChar
GetVolumeInformationW
FindFirstFileW
EnterCriticalSection
FindNextFileW
lstrlenW
ExpandEnvironmentStringsW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection

user32

wsprintfW
EnumDisplayDevicesW
wsprintfA
GetSystemMetrics

advapi32

RegQueryValueExW
CryptAcquireContextA
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
GetUserNameW
InitiateSystemShutdownExW
RegCloseKey
RegOpenKeyExW
CryptGenRandom
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoGetObject
CoCreateInstance
CoUninitialize
StringFromGUID2
CoInitializeEx

oleaut32

SysFreeString
SysAllocString
VariantClear
VariantInit

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

2268c03c1dd3ecd71f7dd192e3e3ce63

Headers

DLL Characteristics

File Characteristics

Imports

wininet

shlwapi

urlmon

ntdll

ws2_32

netapi32

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 34KB - Virtual size: 33KB

.data Size: 512B - Virtual size: 3KB

.idata Size: 4KB - Virtual size: 3KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 34KB - Virtual size: 33KB

.data
Size: 512B - Virtual size: 3KB

.idata
Size: 4KB - Virtual size: 3KB

.reloc
Size: 1KB - Virtual size: 1KB