koiloader | a849120692103626a0e93b97e44f50f87d9388fe7b6ef921b4aad64d9f8cc77a | Triage

Submit
Reports

Overview

overview

Static

static

1

HJN0FI75O6FQ.js

windows10-2004-x64

HJN0FI75O6FQ.js

windows11-21h2-x64

Sharing

General

Target

HJN0FI75O6FQ.js
Size

1KB
Sample

240708-da7gkayfnk
MD5

9e620d8152d31eaf4d6bebf8988966e2
SHA1

bd12978de9ee93deb533aba5fd73cb200834cda1
SHA256

a849120692103626a0e93b97e44f50f87d9388fe7b6ef921b4aad64d9f8cc77a
SHA512

6c61e84987403e16eca2b8a29516b02a2fade84ef22f382681489363f7b5f4b801b24495b19e53b675a2aa28a982bfc4bc0c32acfe12aa6e3b1ecf55d01762d2

Score

10^/10

koiloader execution loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

HJN0FI75O6FQ.js

Resource

win10v2004-20240704-en

koiloader execution loader spyware stealer

windows10-2004-x64

12 signatures

1200 seconds

Behavioral task

behavioral2

Sample

HJN0FI75O6FQ.js

Resource

win11-20240704-en

koiloader execution loader spyware stealer

windows11-21h2-x64

11 signatures

1200 seconds

Malware Config

Extracted

Family

koiloader

C2

http://135.125.242.196/guana.php

Attributes

payload_url
https://krishnafoils.co.in/wp-content/uploads/2015/05

Targets

- Target
  
  HJN0FI75O6FQ.js
- Size
  
  1KB
- MD5
  
  9e620d8152d31eaf4d6bebf8988966e2
- SHA1
  
  bd12978de9ee93deb533aba5fd73cb200834cda1
- SHA256
  
  a849120692103626a0e93b97e44f50f87d9388fe7b6ef921b4aad64d9f8cc77a
- SHA512
  
  6c61e84987403e16eca2b8a29516b02a2fade84ef22f382681489363f7b5f4b801b24495b19e53b675a2aa28a982bfc4bc0c32acfe12aa6e3b1ecf55d01762d2
Score

10^/10

koiloader execution loader spyware stealer
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Detects KoiLoader payload
  loader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

koiloaderexecutionloaderspywarestealer

behavioral2

koiloaderexecutionloaderspywarestealer

© 2018-2024

Terms | Privacy