koiloader | 3bfb486ba3651881de7009679dbbdc68b685612a72c3c051305699efaa1fe5cb | Triage

Sharing

General

Target

chase_march_2025.zip
Size

905B
Sample

250402-l2mv8sxps2
MD5

b810c659d1103dcaf836d8d647b8a03b
SHA1

2b813ae81e3330e6315760eee29ac533b42c7346
SHA256

3bfb486ba3651881de7009679dbbdc68b685612a72c3c051305699efaa1fe5cb
SHA512

5df60c8817f4553b90e60675ea021bc59345733645b7d27909c45fa7a58ee2da33f1465b687b3abc9fd2d004f1c3fecced9e9c43c3b27488fafe337160f9ea4d

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://studiolegaledesanctis.eu/wp-content/uploads/2024/07

Extracted

Family

koiloader

C2

http://217.156.66.15/gnathopoda.php

Attributes

payload_url
https://studiolegaledesanctis.eu/wp-content/uploads/2024/07

Targets

- Target
  
  chase_march_2025.lnk
- Size
  
  1KB
- MD5
  
  c8819ed5f7f4a9b309e01db14b458a60
- SHA1
  
  1b78c2b3627814971f73c7fa2696d1119154ea07
- SHA256
  
  5d736786036eeeaeb7a7c8b3652c76ca4c61a845619004e0b9bb679971da6a48
- SHA512
  
  72e7d619453b60df925f2f593bb9ff3156c717e97354f1de6025f9de67c8ec7713dccc01988928072b271f20eca35168023fed06f084376db47b2a07be424f78
Score

10^/10

koiloader defense_evasion discovery execution loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

koiloaderdefense_evasiondiscoveryexecutionloader