General
-
Target
HJN0FI75O6FQ.js
-
Size
1KB
-
Sample
240708-da7gkayfnk
-
MD5
9e620d8152d31eaf4d6bebf8988966e2
-
SHA1
bd12978de9ee93deb533aba5fd73cb200834cda1
-
SHA256
a849120692103626a0e93b97e44f50f87d9388fe7b6ef921b4aad64d9f8cc77a
-
SHA512
6c61e84987403e16eca2b8a29516b02a2fade84ef22f382681489363f7b5f4b801b24495b19e53b675a2aa28a982bfc4bc0c32acfe12aa6e3b1ecf55d01762d2
Static task
static1
Behavioral task
behavioral1
Sample
HJN0FI75O6FQ.js
Resource
win10v2004-20240704-en
Malware Config
Extracted
koiloader
http://135.125.242.196/guana.php
-
payload_url
https://krishnafoils.co.in/wp-content/uploads/2015/05
Targets
-
-
Target
HJN0FI75O6FQ.js
-
Size
1KB
-
MD5
9e620d8152d31eaf4d6bebf8988966e2
-
SHA1
bd12978de9ee93deb533aba5fd73cb200834cda1
-
SHA256
a849120692103626a0e93b97e44f50f87d9388fe7b6ef921b4aad64d9f8cc77a
-
SHA512
6c61e84987403e16eca2b8a29516b02a2fade84ef22f382681489363f7b5f4b801b24495b19e53b675a2aa28a982bfc4bc0c32acfe12aa6e3b1ecf55d01762d2
-
Detects KoiLoader payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-