General
-
Target
citi_april_2025.lnk
-
Size
1KB
-
Sample
250425-kghv4swjt5
-
MD5
8e5e5408944104b9dc5643bef523f42e
-
SHA1
43d38dd7f2c22f927f847ffb1a424a23d74832b8
-
SHA256
f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed
-
SHA512
3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427
Static task
static1
Behavioral task
behavioral1
Sample
citi_april_2025.lnk
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
citi_april_2025.lnk
Resource
win11-20250410-en
Malware Config
Extracted
https://www.wilkinsonbeane.com/css/slider/ynebhc.php
Extracted
https://www.wilkinsonbeane.com/css/slider
Extracted
koiloader
http://79.124.78.173/incongruousness.php
-
payload_url
https://www.wilkinsonbeane.com/css/slider
Extracted
https://www.wilkinsonbeane.com/css/slider
Targets
-
-
Target
citi_april_2025.lnk
-
Size
1KB
-
MD5
8e5e5408944104b9dc5643bef523f42e
-
SHA1
43d38dd7f2c22f927f847ffb1a424a23d74832b8
-
SHA256
f87cf2f67dbbbe69e14dc40cca510ec19034f1787b6c4167c1fae078f3fe5aed
-
SHA512
3a7523af7c0c63d39001c14dd395f5ff5c713dd5c1459fe8c36840a7da8be924b5e3477c1f65178a50b4208f1144b69e4a343fef0c8f36a9b67c22f94a495427
-
Koiloader family
-
Koistealer family
-
Detects KoiLoader payload
-
Detects KoiStealer payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-