General

  • Target

    9c6df894c8e02e63410b45e9390e66b0.bin

  • Size

    1KB

  • Sample

    250425-bs7tya1pt6

  • MD5

    380ff67ae5146a0d7dda630ecf3f0823

  • SHA1

    5d29e242739a3a842bfa1caad874eb9f7aaa083e

  • SHA256

    e3111e14cda22d3af560f7fd45592c22e2a4125b2d18edc51531b837c6234e7b

  • SHA512

    29a7e0a1e5aafc465a5cb8a1ba2a0dea4a7d2c6c03c0c452c5bc231f648b768eaaeb5d744ddab94b8462c5676541c29bd691678f17a5cffd01b86f6e9c2ad6e6

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider/ynebhc.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Extracted

Family

koiloader

C2

http://79.124.78.173/incongruousness.php

Attributes
  • payload_url

    https://www.wilkinsonbeane.com/css/slider

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Targets

    • Target

      citi_april_2025.lnk

    • Size

      1KB

    • MD5

      8e5e5408944104b9dc5643bef523f42e

    • SHA1

      43d38dd7f2c22f927f847ffb1a424a23d74832b8

    • SHA256

      f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed

    • SHA512

      3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • KoiStealer

      KoiStealer is an infostealer written in C#.

    • Koiloader family

    • Koistealer family

    • Detects KoiLoader payload

    • Detects KoiStealer payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

MITRE ATT&CK Enterprise v16

Tasks