koiloader | 06d6e124b49c3e56c1965786e744242d[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

06d6e124b49c3e56c1965786e744242d.bin
Size

21KB
MD5

37332e425e6de942db77eac6e75168b8
SHA1

8433c39fadc617d4630208d0f143567364fa5bc7
SHA256

6671b34efa5ff16b13652d5d4a380bdc2a06e2b9aaa3b86ae53ad9e110383038
SHA512

7c824c9d610bf6ce1674d8ec6fc5e0991ac61a9d0de76c19207d410d45795ae0a59ea56753be6df0a689e359fc3722e1730f1ef8e2e54dc3ae3384f570d430b7
SSDEEP

384:TDJY2gj8H29UNZaok5NTOGo/q5iCfBJ27DeTAFs41gEE8BN5bb8D3Zi9XDO8fD12:mju3NoNUo/fBJ4yks4uEzB/bbpCwD1O1

Score

10^/10

loader koiloader

Malware Config

Extracted

Family

koiloader

http://195.54.160.202/gowan.php

Attributes

payload_url
https://www.luciaricciardi.com/wp-content/uploads/2018/12

Signatures

Detects KoiLoader payload 1 IoCs
loader

Processes:

resource yara_rule

static1/unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe family_koi_loader
Koiloader family
koiloader
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe

resource	yara_rule
static1/unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe	family_koi_loader

resource
unpack001/9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe

Files

06d6e124b49c3e56c1965786e744242d.bin
.zip

Password: infected
9d207ac26ce1f1d08b56c147d61ca8537eb7ce627a7bf3d3e1bb5f0a6a892a89.exe
.exe windows:6 windows x86 arch:x86

Password: infected

76ccaa34cdbb1717c51923cfa04589e7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wininet

InternetQueryOptionW
InternetQueryDataAvailable
InternetOpenW
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
InternetSetOptionW
InternetReadFile
HttpOpenRequestW

shlwapi

wnsprintfA
PathCombineW
wnsprintfW
StrStrIW
StrToIntA
StrCmpNIA
StrStrW
StrCmpIW
StrNCatW

urlmon

ObtainUserAgentString

ntdll

NtQueryInformationProcess
NtClose
RtlInitUnicodeString

ws2_32

recv
htons
closesocket
select
inet_pton
WSAStartup
connect
socket
send

netapi32

NetApiBufferFree
NetUserGetInfo

kernel32

MultiByteToWideChar
GetFileAttributesW
GetUserDefaultLangID
GetCurrentProcessId
GetWindowsDirectoryW
OpenProcess
VirtualAlloc
lstrcmpW
lstrcpyW
GlobalMemoryStatusEx
GetComputerNameW
ExitProcess
CreateThread
GetLastError
GetTickCount64
Sleep
GetSystemWow64DirectoryW
SetFileAttributesW
GetModuleHandleA
GetSystemDirectoryW
FindClose
CreateMutexW
GetTickCount
ReadFile
WriteFile
GetTempPathW
CreateFileW
GetFileAttributesExW
DeleteFileW
CloseHandle
GetFileSize
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
WriteProcessMemory
GetCurrentProcess
CreatePipe
SetFilePointer
SetEndOfFile
PeekNamedPipe
WaitForSingleObject
lstrcmpA
ResumeThread
LoadLibraryA
VirtualProtectEx
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
CreateProcessW
GetModuleHandleW
SetThreadContext
FlushFileBuffers
WideCharToMultiByte
GetVolumeInformationW
FindFirstFileW
EnterCriticalSection
FindNextFileW
lstrlenW
ExpandEnvironmentStringsW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection

user32

EnumDisplayDevicesW
wsprintfA
wsprintfW

advapi32

RegQueryValueExW
CryptAcquireContextA
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
GetUserNameW
InitiateSystemShutdownExW
RegCloseKey
RegOpenKeyExW
CryptGenRandom
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetObject
StringFromGUID2

oleaut32

SysFreeString
SysAllocString
VariantClear
VariantInit

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

76ccaa34cdbb1717c51923cfa04589e7

Headers

DLL Characteristics

File Characteristics

Imports

wininet

shlwapi

urlmon

ntdll

ws2_32

netapi32

kernel32

user32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 34KB - Virtual size: 33KB

.data Size: 512B - Virtual size: 3KB

.idata Size: 3KB - Virtual size: 3KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 34KB - Virtual size: 33KB

.data
Size: 512B - Virtual size: 3KB

.idata
Size: 3KB - Virtual size: 3KB

.reloc
Size: 1KB - Virtual size: 1KB