General
-
Target
9c6df894c8e02e63410b45e9390e66b0.bin
-
Size
1KB
-
Sample
250425-bs7tya1pt6
-
MD5
380ff67ae5146a0d7dda630ecf3f0823
-
SHA1
5d29e242739a3a842bfa1caad874eb9f7aaa083e
-
SHA256
e3111e14cda22d3af560f7fd45592c22e2a4125b2d18edc51531b837c6234e7b
-
SHA512
29a7e0a1e5aafc465a5cb8a1ba2a0dea4a7d2c6c03c0c452c5bc231f648b768eaaeb5d744ddab94b8462c5676541c29bd691678f17a5cffd01b86f6e9c2ad6e6
Static task
static1
Behavioral task
behavioral1
Sample
citi_april_2025.lnk
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
citi_april_2025.lnk
Resource
win11-20250410-en
Malware Config
Extracted
https://www.wilkinsonbeane.com/css/slider/ynebhc.php
Extracted
https://www.wilkinsonbeane.com/css/slider
Extracted
koiloader
http://79.124.78.173/incongruousness.php
-
payload_url
https://www.wilkinsonbeane.com/css/slider
Extracted
https://www.wilkinsonbeane.com/css/slider
Targets
-
-
Target
citi_april_2025.lnk
-
Size
1KB
-
MD5
8e5e5408944104b9dc5643bef523f42e
-
SHA1
43d38dd7f2c22f927f847ffb1a424a23d74832b8
-
SHA256
f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed
-
SHA512
3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427
-
Koiloader family
-
Koistealer family
-
Detects KoiLoader payload
-
Detects KoiStealer payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-