Resubmissions

23/04/2025, 21:32

250423-1dnvys1sc1 10

General

  • Target

    citi_april_2025.lnk

  • Size

    1KB

  • Sample

    250423-1dnvys1sc1

  • MD5

    8e5e5408944104b9dc5643bef523f42e

  • SHA1

    43d38dd7f2c22f927f847ffb1a424a23d74832b8

  • SHA256

    f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed

  • SHA512

    3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider/ynebhc.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Extracted

Family

koiloader

C2

http://79.124.78.173/incongruousness.php

Attributes
  • payload_url

    https://www.wilkinsonbeane.com/css/slider

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Targets

    • Target

      citi_april_2025.lnk

    • Size

      1KB

    • MD5

      8e5e5408944104b9dc5643bef523f42e

    • SHA1

      43d38dd7f2c22f927f847ffb1a424a23d74832b8

    • SHA256

      f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed

    • SHA512

      3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • KoiStealer

      KoiStealer is an infostealer written in C#.

    • Koiloader family

    • Koistealer family

    • Detects KoiLoader payload

    • Detects KoiStealer payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

MITRE ATT&CK Enterprise v16

Tasks