MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KoiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6
SHA3-384 hash: f17d32a7d9057ea845282a4f03ca5bb42e2f3697fb09eb6f539efaf8aec244b19575d1cbfa2d175a067621a7e1b33a1f
SHA1 hash: 672ce2c6d87fad779f038878e9d03bb82aaf7e73
MD5 hash: ab195ecfbddc6db7caaf4db0ae936aa8
humanhash: six-johnny-snake-violet
File name:trapapO.ps1
Download: download sample
Signature KoiLoader
Create hunting rule
File size:7'367 bytes
First seen:2025-07-12 19:03:56 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:9vOuLf6+qUClbRZqwiJY5AH+W4BJeGZjf6H1vTqTZTL:9vQ+yo+y2
TLSH T1E1E17BE5BE1C45E419BB125CDF928C82A95DA57415F84502F6BE8C0BF79FE2480F0B0D
Magika powershell
Reporter abuse_ch
Tags:KoiLoader ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.9403.10495.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6872b1c1900df8e7f86a4308
Tags:
virus shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mimikatz powershell
Link:
https://www.filescan.io/uploads/6872b1cba15b22faa8afb917/reports/8251a84f-4031-4905-84d6-9b9cb2536a05/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.826
Link:
https://www.hybrid-analysis.com/sample/6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6
Result
Threat name:
AZORult++, KoiLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734901
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Detected AZORult++ Trojan
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Yara detected KoiLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734901 Sample: trapapO.ps1 Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 33 www.vuelaviajero.com 2->33 35 vuelaviajero.com 2->35 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 11 other signatures 2->47 8 powershell.exe 15 33 2->8         started        12 cmd.exe 1 2->12         started        14 wscript.exe 2->14         started        16 5 other processes 2->16 signatures3 process4 dnsIp5 37 94.156.152.54, 49693, 49694, 49696 NET1-ASBG Bulgaria 8->37 39 vuelaviajero.com 208.109.201.79, 443, 49691, 49692 AS-26496-GO-DADDY-COM-LLCUS United States 8->39 51 Contains functionality to bypass UAC (CMSTPLUA) 8->51 53 Detected AZORult++ Trojan 8->53 55 Contain functionality to detect virtual machines 8->55 59 3 other signatures 8->59 18 cmd.exe 1 8->18         started        20 conhost.exe 8->20         started        57 Adds a directory exclusion to Windows Defender 12->57 22 powershell.exe 23 12->22         started        25 conhost.exe 12->25         started        signatures6 process7 signatures8 27 powershell.exe 17 18->27         started        29 conhost.exe 18->29         started        49 Loading BitLocker PowerShell Module 22->49 31 WmiPrvSE.exe 22->31         started        process9
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6/
Verdict:
Malicious
Threat:
trojan.boxter/powershell
Link:
https://tip.neiki.dev/file/6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 18:21:00 UTC
File Type:
Text (PowerShell)
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nty6dlvc7krob4tlxjuxbpxtdrlyuyc7gvig2iowm3pvbvozhlta._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250712-xq4kdstzdw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6cf1e1aea2faa2e0f26bba6970bef31c578a605f35506d21d666df50d5d93ae6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments