Overview
This investigation analyzes suspicious network traffic detected by Suricata IDS.
The alert indicated possible command-and-control communication associated with the Koi Stealer malware family.
Tools Used
- Suricata IDS
- Wireshark
- PCAP traffic analysis
Detection
Suricata generated the following alert:
ET MALWARE Win32/Koi Stealer CnC Checkin
Traffic Analysis
Wireshark inspection revealed an HTTP request from the internal host:
172.17.0.99 → 79.124.78.197
Observed request:
GET /index.php?id=&subid=qI0uKk7U
Indicators of Compromise
| Indicator | Value |
|---|---|
| Infected Host | 172.17.0.99 |
| C2 Server | 79.124.78.197 |
| Protocol | HTTP |
| Malware | Koi Stealer |
Conclusion
The investigation confirms outbound C2 communication consistent with Koi Stealer malware behavior.
Full Technical Investigation
View full investigation on GitHub