Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RFQ MV-Haian.exe

  • Size

    485KB

  • Sample

    221129-lwl2ragg67

  • MD5

    14118ff01802f541e0593c3efc0b55c4

  • SHA1

    70e44e69b10a80f2a987c061febc154c5226f3bf

  • SHA256

    622b22f54e4d408ed547536ee1ec8714411cefebb170d69aeb6aae8a23a22233

  • SHA512

    c0123827bc905c39692286931836fa9d076264d56a1bf3c761ef63e670802b1a050c76e61e44780bf55b98635a82c2f7d696fa42e02137050b801a9e7bc0c076

  • SSDEEP

    12288:qWO+CpbKbfqFEtigKKyBG3qoS2xTSZRncT5S:qWIbKjthKep/NSZRcT

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gm9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RFQ MV-Haian.exe

    • Size

      485KB

    • MD5

      14118ff01802f541e0593c3efc0b55c4

    • SHA1

      70e44e69b10a80f2a987c061febc154c5226f3bf

    • SHA256

      622b22f54e4d408ed547536ee1ec8714411cefebb170d69aeb6aae8a23a22233

    • SHA512

      c0123827bc905c39692286931836fa9d076264d56a1bf3c761ef63e670802b1a050c76e61e44780bf55b98635a82c2f7d696fa42e02137050b801a9e7bc0c076

    • SSDEEP

      12288:qWO+CpbKbfqFEtigKKyBG3qoS2xTSZRncT5S:qWIbKjthKep/NSZRcT

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks