koiloader | 6ba8a745da36ed86f9edd685a2d0d93b9e7b4ba537f431fe8dec07d4b7035363 | Triage

Sharing

General

Target

chase_march_2025.zip
Size

916B
Sample

250402-s79qhsy1c1
MD5

573bd63dd09744127884bd89f21b9511
SHA1

0ab04b9bacda6d234794d145b270a365ffeedad7
SHA256

6ba8a745da36ed86f9edd685a2d0d93b9e7b4ba537f431fe8dec07d4b7035363
SHA512

e389f38e6bd33178083b36cbe07ddc8ff4ed5591904141851de36ae539a265bc5c561b3c1569ec449454cd1bb38f1c6d70f0402b77a928e11261d51d382f3c98

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://studiolegaledesanctis.eu/wp-content/uploads/2024/07

Extracted

Family

koiloader

C2

http://217.156.66.15/gnathopoda.php

Attributes

payload_url
https://studiolegaledesanctis.eu/wp-content/uploads/2024/07

Targets

- Target
  
  chase_march_2025.lnk
- Size
  
  1KB
- MD5
  
  7d09c2f9087b81928f92fc87b635c008
- SHA1
  
  a1db6b387af8021ad097f41586fb86680420e22e
- SHA256
  
  311d17e119c43e123a8dc7178ec01366835e6b59300ac1c72b7dd2b5e7aaa9c0
- SHA512
  
  5c214d877970eb70bb467fa95778ff35df4ade687bf0d3b54798441861b014fc3a4a65b07ed7474a7127591f214ca2437e91423fc8feb2929019b615cd3334ef
Score

10^/10

koiloader defense_evasion discovery execution loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

koiloaderdefense_evasiondiscoveryexecutionloader