Behavioral task
behavioral1
Sample
950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab_dump.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab_dump.exe
Resource
win10v2004-20240508-en
General
-
Target
950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab_dump.exe
-
Size
40KB
-
MD5
06d6e124b49c3e56c1965786e744242d
-
SHA1
1689ad140d22b3c6427e3e36c6b1b49e301201d1
-
SHA256
9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89
-
SHA512
06f784486ebd8fd6373ebee84f118664d68cbfa6787a72565df3418e331dadbdee75bdb0589dc7e423bc41273a9e00120e4f9593d1d43d4c764f0da0e882e886
-
SSDEEP
768:MTOI/KJwIsoca5IGsbNfEItP1NdNh9um/dRAFZzQk9FzRxbjy+QPbmepvKBBO:MN/KJw1oca+bNfEIXNh9ZAFqk9FHOmrQ
Malware Config
Extracted
koiloader
http://195.54.160.202/gowan.php
-
payload_url
https://www.luciaricciardi.com/wp-content/uploads/2018/12
Signatures
Files
-
950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab_dump.exe.exe windows:6 windows x86 arch:x86
76ccaa34cdbb1717c51923cfa04589e7
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
wininet
InternetQueryOptionW
InternetQueryDataAvailable
InternetOpenW
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
InternetSetOptionW
InternetReadFile
HttpOpenRequestW
shlwapi
wnsprintfA
PathCombineW
wnsprintfW
StrStrIW
StrToIntA
StrCmpNIA
StrStrW
StrCmpIW
StrNCatW
urlmon
ObtainUserAgentString
ntdll
NtQueryInformationProcess
NtClose
RtlInitUnicodeString
ws2_32
recv
htons
closesocket
select
inet_pton
WSAStartup
connect
socket
send
netapi32
NetApiBufferFree
NetUserGetInfo
kernel32
MultiByteToWideChar
GetFileAttributesW
GetUserDefaultLangID
GetCurrentProcessId
GetWindowsDirectoryW
OpenProcess
VirtualAlloc
lstrcmpW
lstrcpyW
GlobalMemoryStatusEx
GetComputerNameW
ExitProcess
CreateThread
GetLastError
GetTickCount64
Sleep
GetSystemWow64DirectoryW
SetFileAttributesW
GetModuleHandleA
GetSystemDirectoryW
FindClose
CreateMutexW
GetTickCount
ReadFile
WriteFile
GetTempPathW
CreateFileW
GetFileAttributesExW
DeleteFileW
CloseHandle
GetFileSize
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
WriteProcessMemory
GetCurrentProcess
CreatePipe
SetFilePointer
SetEndOfFile
PeekNamedPipe
WaitForSingleObject
lstrcmpA
ResumeThread
LoadLibraryA
VirtualProtectEx
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
SetThreadContext
FlushFileBuffers
WideCharToMultiByte
GetVolumeInformationW
FindFirstFileW
EnterCriticalSection
FindNextFileW
lstrlenW
ExpandEnvironmentStringsW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
user32
EnumDisplayDevicesW
wsprintfA
wsprintfW
advapi32
RegQueryValueExW
CryptAcquireContextA
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
GetUserNameW
InitiateSystemShutdownExW
RegCloseKey
RegOpenKeyExW
CryptGenRandom
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
shell32
SHGetFolderPathW
ShellExecuteW
ole32
CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetObject
StringFromGUID2
oleaut32
SysFreeString
SysAllocString
VariantClear
VariantInit
Sections
.text Size: 34KB - Virtual size: 33KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ