Behavioral task
behavioral1
Sample
9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe
Resource
win10v2004-20240611-en
General
-
Target
06d6e124b49c3e56c1965786e744242d.bin
-
Size
21KB
-
MD5
37332e425e6de942db77eac6e75168b8
-
SHA1
8433c39fadc617d4630208d0f143567364fa5bc7
-
SHA256
6671b34efa5ff16b13652d5d4a380bdc2a06e2b9aaa3b86ae53ad9e110383038
-
SHA512
7c824c9d610bf6ce1674d8ec6fc5e0991ac61a9d0de76c19207d410d45795ae0a59ea56753be6df0a689e359fc3722e1730f1ef8e2e54dc3ae3384f570d430b7
-
SSDEEP
384:TDJY2gj8H29UNZaok5NTOGo/q5iCfBJ27DeTAFs41gEE8BN5bb8D3Zi9XDO8fD12:mju3NoNUo/fBJ4yks4uEzB/bbpCwD1O1
Malware Config
Extracted
koiloader
http://195.54.160.202/gowan.php
-
payload_url
https://www.luciaricciardi.com/wp-content/uploads/2018/12
Signatures
-
Detects KoiLoader payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe family_koi_loader -
Koiloader family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe
Files
-
06d6e124b49c3e56c1965786e744242d.bin.zip
Password: infected
-
9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe.exe windows:6 windows x86 arch:x86
Password: infected
76ccaa34cdbb1717c51923cfa04589e7
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
wininet
InternetQueryOptionW
InternetQueryDataAvailable
InternetOpenW
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
InternetSetOptionW
InternetReadFile
HttpOpenRequestW
shlwapi
wnsprintfA
PathCombineW
wnsprintfW
StrStrIW
StrToIntA
StrCmpNIA
StrStrW
StrCmpIW
StrNCatW
urlmon
ObtainUserAgentString
ntdll
NtQueryInformationProcess
NtClose
RtlInitUnicodeString
ws2_32
recv
htons
closesocket
select
inet_pton
WSAStartup
connect
socket
send
netapi32
NetApiBufferFree
NetUserGetInfo
kernel32
MultiByteToWideChar
GetFileAttributesW
GetUserDefaultLangID
GetCurrentProcessId
GetWindowsDirectoryW
OpenProcess
VirtualAlloc
lstrcmpW
lstrcpyW
GlobalMemoryStatusEx
GetComputerNameW
ExitProcess
CreateThread
GetLastError
GetTickCount64
Sleep
GetSystemWow64DirectoryW
SetFileAttributesW
GetModuleHandleA
GetSystemDirectoryW
FindClose
CreateMutexW
GetTickCount
ReadFile
WriteFile
GetTempPathW
CreateFileW
GetFileAttributesExW
DeleteFileW
CloseHandle
GetFileSize
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
WriteProcessMemory
GetCurrentProcess
CreatePipe
SetFilePointer
SetEndOfFile
PeekNamedPipe
WaitForSingleObject
lstrcmpA
ResumeThread
LoadLibraryA
VirtualProtectEx
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
SetThreadContext
FlushFileBuffers
WideCharToMultiByte
GetVolumeInformationW
FindFirstFileW
EnterCriticalSection
FindNextFileW
lstrlenW
ExpandEnvironmentStringsW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
user32
EnumDisplayDevicesW
wsprintfA
wsprintfW
advapi32
RegQueryValueExW
CryptAcquireContextA
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
GetUserNameW
InitiateSystemShutdownExW
RegCloseKey
RegOpenKeyExW
CryptGenRandom
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
shell32
SHGetFolderPathW
ShellExecuteW
ole32
CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetObject
StringFromGUID2
oleaut32
SysFreeString
SysAllocString
VariantClear
VariantInit
Sections
.text Size: 34KB - Virtual size: 33KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ