{
	"id": "82974ba2-b3d0-4ae2-844c-666ca83e4d0f",
	"created_at": "2026-04-06T00:21:46.62729Z",
	"updated_at": "2026-04-10T13:12:15.293018Z",
	"deleted_at": null,
	"sha1_hash": "aaae21ab158a948fec6bf631c8a5930d2f914d1c",
	"title": "KoiVM Loader Resurfaces With a Bang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1315107,
	"plain_text": "KoiVM Loader Resurfaces With a Bang\r\nPublished: 2022-12-02 · Archived: 2026-04-05 21:06:49 UTC\r\nWe at K7 Labs recently found an interesting new .NET loader which downloads and executes KoiVM virtualized\r\nbinary, which in turn drops Remcos RAT and Agent Tesla based on the availability of its C2. The samples under\r\nconsideration uses hastebin URLs as its C2 server to download the next stage payloads. The overall flow of this\r\nmultistage malware can be observed in the following flow diagram.\r\nFigure 1: Execution Flow\r\nThe initial downloader is dropped through spam emails containing attachments of the names “New Orders.zip” or\r\n“Export Invoice – 8026137.zip”. The Zip contains a .NET executable with the same name as the Zip file and\r\ndisguises itself as a calculator application. However, it is actually a multistage downloader.\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 1 of 10\n\nFigure 2: Original Name of Downloader\r\nStage-1 (Downloader Analysis)\r\nThe downloader initially starts to decode the C2 using an interesting decoding routine given below.\r\nFigure 3: C2 decoding routine\r\nEach character of the C2 string is XOR’ed with the index value of the corresponding character to obtain the C2\r\naddress. We can easily mimic this in Python using the code given below.\r\n“””\r\nCode to decode C2 URL’s\r\n“””\r\n \r\nc2servers = \"\"\r\ndecoded = r\"huvsw?)(`hy\\u007fioga\u003er}~;gw`7w{huwquISW\\u000fLQRW[\\u0013\\u0005\\u0004DL][US[]\\u001aVYZ\\u0017K[L\\u001\r\nfor c in range(0, len(decoded)):\r\n c2servers += chr(ord(decoded[c]) ^ c)\r\nprint(c2servers.replace(\",\", \"\\n\"))\r\n \r\nExtracted C2’s:\r\n \r\nhxxps://hastebin[.]com/raw/nasijojiru\r\nhxxps://hastebin[.]com/raw/caqumubuyo\r\nOnce the C2 address  is decoded, it sends a GET request to download the encoded 2nd stage KoiVM Droppers.\r\nAfter receiving the response from the server, the downloader starts its multistage decoding routine. It base64\r\ndecodes the response and decompresses it in memory using the DeflateStream class. The resultant buffer is\r\nXORed with the hardcoded key in the stage-1 downloader “M4use” to get the final decoded stage-2 KoiVM\r\ndropper binaries.\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 2 of 10\n\nFigure 4: Payload decoding flow\r\nStage2 (Virtualized Droppers)\r\nFigure 5: KoiVM Dropper\r\nThe stage-2 payload is highly obfuscated and virtualized with KoiVM. It is used along with ConfuserEx to\r\nvirtualize the execution of the sample. It changes all the IL-Instruction to the byte format understandable only by\r\nthe KoiVM Runtime. \r\nAs stated in KoiVM Readme, virtualization with KoiVM can be done in two ways\r\n1. Virtualize only the methods which we select\r\n2. Virtualize all the functions including ConfuserEx integrity protection\r\nThe stage-2 dropper payloads had chosen the 2nd option to virtualize all the functions, which made our analysis\r\nharder. Since Win32API and structs are accessed using PInvoke in C# and it can’t be virtualized or obfuscated,\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 3 of 10\n\nwe were able to identify the API’s and correlate the behavior of this KoiVM dropper. The sample imports all the\r\nAPI’s which are required for Process Injection and In-memory execution.\r\nFigure 6: Imports accessed through PInvoke\r\nThe encoded stage-3 payload is found in the resource section of the KoiVM binary. On analyzing the blob, we\r\nfound an interesting string pattern which seems to be repeating. When Null bytes are XOR’ed with a key, the\r\nresultant value is the key itself. Since the 3rd stage payload has many NULL bytes we are able to extract the XOR\r\nkey used for decoding. Similarly, the KoiVM sample downloaded from the other hastebin URL (second C2\r\naddress) had a similar pattern. There are two different final 3rd stage payloads which are dropped based on the C2\r\naddress accessed , of which the first binary is XOR decoded using the key “Jus3ify” and the second binary is\r\nXOR decoded using the key “Monito3“. \r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 4 of 10\n\nFigure 7: Decoded stage-3 payloads\r\nThe key can also be identified by debugging the KoiVM Runtime using dnSpyEx and stepping into the yielder\r\nfunction “SelectIterator” as shown in image below. We were able to view payload data and key as plaintext\r\nbecause all functions of KoiVM dropper binary are only virtualized and not the calls to string methods.\r\nFigure 8: XOR key in memory\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 5 of 10\n\nFigure 9: XOR decoded payload in memory\r\nStage 3\r\nAgent Tesla\r\nUsing Detect it Easy we were able to identify that stage-3 payload is obfuscated with .Net Reactor, thus we used\r\n.NetSlayer to de-obfuscate the sample to analyze further.\r\nFigure 10: Trying to de-virtualize using .NET Slayer\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 6 of 10\n\nThe tool was not able to completely de-obfuscate the sample, for example we could see that the Agent Tesla\r\nbinary has implemented control flow flattening, but the tool was not able to unflatten it. The strings are present in\r\nraw hex form using string interning.\r\nFigure 11: Control flow flattening implemented in Agent Tesla\r\nThe Agent Tesla malware has the capability to log keystrokes, steal browser cookies and crypto wallets and send it\r\nto C2. All the strings are saved as raw bytes by using string interning and they are accessed with respective index\r\nand length using a class method.\r\nFigure 12: Configuration stored using string interning\r\nOn dumping the strings, we got a configuration file and confirmed it as Agent Tesla malware.\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 7 of 10\n\nFigure 13: Tesla Configuration\r\nAgent Tesla is an info stealing malware, which collects keystrokes, browser cookies, and system information. The\r\ncollected data is sent as an attachment to a mail id – peterashley202@gmail[.]com.\r\nRemcos RAT \r\nOn viewing the strings from stage-2 payload (the KoiVM payload2 from the second hastebin URL), we were able\r\nto identify the final payload to be Remcos RAT which was confirmed by extracting the configuration from\r\nKoiVM payload2’s  resource section.\r\nFigure 14: Remcos Agent String\r\nThe RC4 encrypted configuration of Remcos RAT is saved in the resource section as “SETTINGS”. \r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 8 of 10\n\nFigure 15: Remcos RAT encrypted config stored in resource\r\nThe first byte in the configuration file is the length of RC4 key(n). The next n bytes are the RC4 key followed by\r\nthe payload bytes.\r\nFigure 16: Remcos Configuration\r\nRemcos RAT steals browser cookies, takes current window screenshots and sends it to the C2 present in\r\nConfiguration. It establishes a listener connection with the C2 and waits for the attacker to send commands to\r\nexecute.\r\nWe at K7 Labs provide detection against latest threats and also for this newer variant of Loader. Users are advised\r\nto use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their\r\ndevices.\r\nIOCs\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 9 of 10\n\nFilename MD5 Hash K7 Detection Name\r\nStage1 \r\nLoader 908A565A9041D68A2FEA61329D4C42B4\r\nTrojan-Downloader (\r\n00599fcf1 )\r\nStage2 (KoiVM)\r\nTesla\r\nDropperRemcos\r\nDropper\r\n859E6D2588B14AA298F22F3E70043C69\r\n3A62051DD210BC85C93BF343DCD8ACAD\r\nTrojan ( 0058ba9a1 )\r\nTrojan ( 0058ba9a1 )\r\nStage3 (Stealer)\r\nAgent Tesla\r\nRemcos RAT\r\n77047DAC5FE6958A3C7C9DD1DE08C854\r\n40B71E34E832DEACFFB9589F2BB87323\r\nSpyware ( 0058f8971\r\n)\r\nTrojan ( 0053ac2c1 )\r\nC2\r\nhxxps://hastebin[.]com/raw/nasijojiru         – Agent Tesla\r\nhxxps://hastebin[.]com/raw/caqumubuyo  – Remcos RAT\r\nIP\r\n172.111.234[.]110:5888\r\nSource: https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nhttps://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/"
	],
	"report_names": [
		"koivm-loader-resurfaces-with-a-bang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aaae21ab158a948fec6bf631c8a5930d2f914d1c.pdf",
		"text": "https://archive.orkl.eu/aaae21ab158a948fec6bf631c8a5930d2f914d1c.txt",
		"img": "https://archive.orkl.eu/aaae21ab158a948fec6bf631c8a5930d2f914d1c.jpg"
	}
}