ET ATTACK_RESPONSE Koi Loader/Stealer Payload Inbound

SID: 2059759Rev: 151 views
Sourceet/open
CreatedJanuary 29, 2025
UpdatedJanuary 29, 2025
Classificationtrojan-activity
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Koi Loader/Stealer Payload Inbound"; flow:established,to_client; content:"|24|guid|20 3d 20 28|Get|2d|ItemProperty|20 2d|Path|20|HKLM|3a 5c|SOFTWARE|5c|Microsoft|5c|Cryptography|29 2e|MachineGuid"; fast_pattern; content:"|3d 20 28|new|2d|object|20|net|2e|webclient|29 2e|downloadstring|28 22|http"; distance:0; content:"|2e|php|3f|id|3d 24|guid|26|subid|3d|"; distance:0; content:"|22 29 2e|Split|28 27 7c 27 29|"; distance:0; reference:url,malware-traffic-analysis.net/2025/01/23/index.html; classtype:trojan-activity; sid:2059759; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2025_01_29, deployment Perimeter, malware_family KoiStealer, confidence Medium, signature_severity Major, updated_at 2025_01_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)

References

urlmalware-traffic-analysis.net/2025/01/23/index.html

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit
attack targetClient_Endpoint
tls stateplaintext
created at2025_01_29
deploymentPerimeter
malware familyKoiStealer
confidenceMedium
signature severityMajor
updated at2025_01_29
mitre tactic idTA0011
mitre tactic nameCommand_And_Control
mitre technique idT1105
mitre technique nameIngress_Tool_Transfer

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!