MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

KoiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 11 File information Comments

SHA256 hash:	dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f
SHA3-384 hash:	416c19ce63fabca89a2c3ab29e23ea6f9bafdcc182a0fc0ea5f93d7f89ed1150a19180e6b158f80c52a42b4f1bae7bde
SHA1 hash:	04a6703d396aaa93f983707f5e4cb16354831998
MD5 hash:	a93e3c163820bc0d6bf9dbd1213f4944
humanhash:	dakota-fourteen-black-golf
File name:	chase_statement_march.zip
Download:	download sample
Signature	KoiLoader Create hunting rule
File size:	919 bytes
First seen:	2025-03-21 17:08:58 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24:9filkN/B302TjYsE65teDpUCZ18f3O9iJj+/l:9f4K5302c9DaK8f3SXt
TLSH	T13511F7F92215AE16D0DADB30D41B47BBCA3A2A45C0C113334A80A0EC0CD0AC06FE31D7
Magika	zip
Reporter	JAMESWT_WT
Tags:	185-81-2-76 casettalecese-it KoiLoader zip

Intelligence

File Origin

# of uploads :

# of downloads :

592

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	chase_statement_march.lnk
File size:	1'685 bytes
SHA256 hash:	02f27282ecc90843bd932d731c87426f78e4f88d79c66374ae06c6d1641c73cb
MD5 hash:	202ee916a0113699880cc2e48a73d353
MIME type:	application/octet-stream
Signature	KoiLoader

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f/results/dashboard

Payload URLs

URL

File name

https://casettalecese.it/wp-content/uploads/2022/10/hemigastrectomySDur.php',

LNK File

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade

Link:

https://www.filescan.io/uploads/67dd9d43a175d31773441a89/reports/f4ce3c56-85b8-4c48-9e11-3e9cb7646f30/overview

Verdict:

Suspicious

Labled as:

Mal/DownLnk

Link:

https://www.hybrid-analysis.com/sample/dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f/

Threat name:

Shortcut.Trojan.Koiloader

Status:

Malicious

First seen:

2025-03-21 17:09:08 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3vlnrwjlcjo4ds6rfilee5fn6azpebj37jnmjdbz4zc7ug3biahq._file

Result

Malware family:

koiloader

Score:

10/10

Tags:

family:koiloader defense_evasion discovery execution loader

Link:

https://tria.ge/reports/250321-v3sbsatyfz/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Indicator Removal: Clear Persistence

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Detects KoiLoader payload

KoiLoader

Koiloader family

Malware Config

C2 Extraction:

http://94.247.42.253/pilot.php

Dropper Extraction:

https://casettalecese.it/wp-content/uploads/2022/10

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd56d8d92b125dc1cbd12a164274adf032f2053bfa5ac48c39e645fa1b61400f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	Script_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies scripting artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_ZIP_LNK_PhishAttachment Create hunting rule
Author:	ignacior
Description:	Detects suspicius tiny ZIP files with malicious lnk files
Reference:	Internal Research

Rule name:	SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious tiny ZIP files with phishing attachment characteristics
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample