YARAhub
You are currently viewing the YARAhub entry of the YARA rule KoiLoader. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.
YARA Rule Details: KoiLoader
| Rule name: | KoiLoader |
|---|---|
| Author: | NDA0E - @NDA0E |
| Description: | Detects KoiLoader |
| Reference MD5: | f7f61ffb8e1f1e272bdf4d326086e760 |
| Likes: | 0 |
| Reference Link : | n/a |
| Malpedia Family : | https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader |
| Date added: | 2024-10-25 |
| Rule Matching TLP : | TLP:WHITE |
| Rule Sharing TLP : | TLP:WHITE |
| License : | https://creativecommons.org/licenses/by/4.0/ |
| UUID: | eb242ec9-e7d8-4ee0-941a-32587a8a6ec2 |
| Static hits: | 54 |
| Unpacker hits: | 0 |
YARA Rule Content
The content of the YARA rule is shown below.
rule KoiLoader {
meta:
author = "NDA0E"
yarahub_author_twitter = "@NDA0E"
date = "2024-10-25"
description = "Detects KoiLoader"
yarahub_uuid = "eb242ec9-e7d8-4ee0-941a-32587a8a6ec2"
yarahub_license = "CC BY 4.0"
yarahub_rule_matching_tlp = "TLP:WHITE"
yarahub_rule_sharing_tlp = "TLP:WHITE"
yarahub_reference_md5 = "f7f61ffb8e1f1e272bdf4d326086e760"
malpedia_family = "win.koiloader"
strings:
$a = {8b ?? ?? 8b ?? ?? 2b ?? ?? 89 ?? ?? 8b ?? ?? 5? 8b ?? ?? 5? e8 ?? ?? ?? ?? 83 c? ?? 8d ?? ?? 5? 6a ?? 8b ?? ?? 8b ?? ?? 5? 8b ?? ?? 5? ff 15 ?? ?? ?? ?? 33 ?? 66 89 ?? ?? eb ?? 66 8b ?? ?? 66 83 c? ?? 66 89 ?? ?? 0f b7 ?? ?? 8b ?? ?? 0f b7 ?? ?? 3b ?? 0f 8d ?? ?? ?? ?? 0f b7 ?? ?? 6b ?? ?? 8b ?? ?? 8b ?? ?? 03 ?? ?? ?? 89 ?? ?? 0f b7 ?? ?? 6b ?? ?? 8b ?? ?? 8b ?? ?? ?? 81 e? ?? ?? ?? ?? 74 ?? 68 ?? ?? ?? ?? 0f b7 ?? ?? 6b ?? ?? 8b ?? ?? 8b ?? ?? ?? 5? 8b ?? ?? 5? ff 15 ?? ?? ?? ?? eb ??}
condition:
uint16(0) == 0x5a4d and
all of them
}
YARA Rule Matches
The following table shows the most recent files matching this particular YARA rule.
| First seen (UTC) | SHA256 hash | Static matches | Unpacker matches |
|---|