CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)
I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.
|2017-09-11: a witnessed infection chain to CoalaBot|
A look inside :
|CoalaBot: Login Screen
(August Stealer alike)
|CoalaBot: New Taks (list)|
|CoalaBot: https get task details|
|CoalaBot: http post task details|
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity
August in November: New Information Stealer Hits the Scene – 2016-12-07 – Proofpoint