Resubmissions

22/05/2025, 03:25

250522-dy27rafq6z 10

22/05/2025, 03:04

250522-dkkqjsfm3w 10

General

  • Target

    https://sites.google.com/view/upload-service-jf8ci/docs?file=45977688

  • Sample

    250522-dkkqjsfm3w

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.entrepreneurshipvillage.com/wp-content/uploads/2021/02

Extracted

Family

koiloader

C2

http://193.23.219.255/relabel.php

Attributes
  • payload_url

    https://www.entrepreneurshipvillage.com/wp-content/uploads/2021/02

Targets

    • Target

      https://sites.google.com/view/upload-service-jf8ci/docs?file=45977688

    • KoiLoader

      KoiLoader is a malware loader written in C++.

    • Koiloader family

    • Detects KoiLoader payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v16

Tasks