koiloader | 09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43 | Triage

Resubmissions

18/04/2025, 17:49

250418-wd4tystls6 8

09/04/2025, 06:42

250409-hgf1eastav 10

Sharing

General

Target

chase_apr_2025.lnk
Size

1KB
Sample

250409-hgf1eastav
MD5

36a9f6a6fe333f902077a73d990f0a4e
SHA1

906818153a8ff4bf10cfb8615ff6b9021140623c
SHA256

09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43
SHA512

cfc907e28c5069edc9e837b53f13377fbc015e1baba7401d1f3adb0bbdefa1dc95b830da58ef3b84e07ef8e8558d0b9b593e3d5c4c0d258cb50f0c8c73d5f5c7

Score

10^/10

koiloader defense_evasion discovery execution loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rietiholidays.it/wp-content/uploads/2021/06

Extracted

Family

koiloader

C2

http://103.245.231.56/pentateuchal.php

Attributes

payload_url
https://rietiholidays.it/wp-content/uploads/2021/06

Targets

- Target
  
  chase_apr_2025.lnk
- Size
  
  1KB
- MD5
  
  36a9f6a6fe333f902077a73d990f0a4e
- SHA1
  
  906818153a8ff4bf10cfb8615ff6b9021140623c
- SHA256
  
  09ef17dc4284a8d1a8b937354bd8137aa9c0d98bffb897bd891ccff854484e43
- SHA512
  
  cfc907e28c5069edc9e837b53f13377fbc015e1baba7401d1f3adb0bbdefa1dc95b830da58ef3b84e07ef8e8558d0b9b593e3d5c4c0d258cb50f0c8c73d5f5c7
Score

10^/10

koiloader defense_evasion discovery execution loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Clear Persistence

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

koiloaderdefense_evasiondiscoveryexecutionloader