koiloader

General

Target

ac5e09927cf29318eeb315cf02cd19992afcc151de228192d332bb83e034aaaf (3).zip
Size

191KB
Sample

250409-jsszsat1b1
MD5

2c0597e4e0ee5bac25e8605d29f99eb9
SHA1

75ea0337104037ace7739d2ad9aa6737f380fbaa
SHA256

ac5e09927cf29318eeb315cf02cd19992afcc151de228192d332bb83e034aaaf
SHA512

dc22feb07dffa402637e64d4c738299c86c7e1d05a7a2e308b990974236305a67a27134232ae0a45b605ef42ae060ce11c6f3c556e62b642f8e4b5c1db0c31d0
SSDEEP

3072:SjvYjytP2KrZr4vEcmnK+WX7O1m00XmxsmSchcZM2MC0Ldq/eiFlXU2IcGvgBJ60:VWJ2sAEcmnK+YS1GWSmFavL0L0NFF4gb

Score

10^/10

Malware Config

Extracted

Family

koiloader

C2

http://103.245.231.56/pentateuchal.php

Attributes

payload_url
https://rietiholidays.it/wp-content/uploads/2021/06

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rietiholidays.it/wp-content/uploads/2021/06

Targets

- Target
  
  20250407_KoiLoader_Samples/avourhtv.exe
- Size
  
  231KB
- MD5
  
  0b9e1fb8d5d72bde6fd0fe4c5a960f77
- SHA1
  
  5fb623c742fb303f65adec0441118d03b4726859
- SHA256
  
  843cf9f337afde0f32670eefe73952c8f27d86dc46a6a32c25080e86b0bb5d01
- SHA512
  
  0887c326ff2b3512908d0c5e49f1c7b5e4cb9212b804197d22ed6c6f20d8b8c274529c7dab45dd06666fe4ea14565e20e0c2fde54bcc11d05e07b6d0da8d2ae0
- SSDEEP
  
  3072:BNwCrquaP24/h7Q22oWvjWn+V4t4jrv34CovCWzG9f4BVfNMVzjJbU9Rvgb7SCv:/UhAoAZoLzJBVFMdjJI9RIaCv
Score

10^/10

koiloader discovery loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
behavioral1
- Target
  
  20250407_KoiLoader_Samples/covalencesxjiY.php
- Size
  
  1KB
- MD5
  
  acfbef945b29e513ecc7e1ddccf70cf0
- SHA1
  
  8dc828d93fd9c60b74ff7b601531340d6dc9d01e
- SHA256
  
  3119cfa98d0ddbe11553e7e65738640ed89b330bbf642c63aedceda5826ac8e1
- SHA512
  
  9eb89056948126527e7ac03e19fe8eaf2a9ef2848e75203b523eeedeeb6e30236b8d2501797f69e65bf4750ce421c99b24a956d246d4dd243a0460c13db69b4d
Score

10^/10

koiloader discovery execution loader
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral2
- Target
  
  20250407_KoiLoader_Samples/revettedYf.ps1
- Size
  
  7KB
- MD5
  
  f44ac29d0b6c80fb590d2ae5a427050b
- SHA1
  
  9074e1c7b55c70a3489d1b40e86ff10d50e2fa51
- SHA256
  
  099e441c0d4a08144019e8c083af50123115300a9c8e8779880e81eaa46db344
- SHA512
  
  dec7b204ab0cd2e5d4b93d735adf8904e7e4b2b250b11c8243290729ae6186341f3a2a9ddfa0089ac0b36479b5097693c4e46d364341bba455a85d9a14d0cad0
- SSDEEP
  
  192:SvOuLf6+qUClbRZqwiJY5AH+W4BJeGZjf6H1XTMTqTb:SvQ+yo+yh
Score

8^/10

execution
- Blocklisted process makes network request
- Downloads MZ/PE file
behavioral3
- Target
  
  20250407_KoiLoader_Samples/sd2.ps1
- Size
  
  466KB
- MD5
  
  7a441a7e686aa409412f220e4a50b7d1
- SHA1
  
  eb8ef763e195ba723bbc37aad06a50467387dd43
- SHA256
  
  b29edac39c00705b647db6ab0539aeaddcca3abd91cda4b8a68c75ee6318206c
- SHA512
  
  05e45814569082e47ab31c072ab119748827f54508eac004a093f6114fdbe8eefbd17bf754d57d8f48b3d6836a07c4826b46b2ae6f995bd1cb66e52de1e45cf6
- SSDEEP
  
  6144:f4m3IVr1QxZ8Pv9b3zzxFifMPbWkE1o08246c+nu2KTHZ70wdPX5OUG6jPjtPWyC:gmYVexdM2ol2jS7Rnh5uwszO6eM19L++
Score

8^/10

execution
- Blocklisted process makes network request
behavioral4