Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2fe572c4c7550b00993c0b9b344a65df.exe

  • Size

    364KB

  • Sample

    230106-l2s29aff67

  • MD5

    2fe572c4c7550b00993c0b9b344a65df

  • SHA1

    050979d9ebc2b777ddaf12c15b086da39f8bd472

  • SHA256

    2d83164d1358ec644bb36c5edd0c16e115510789fea78f6a009a5969a74cd9e9

  • SHA512

    76b646c346070f83832afda5442e0c5b54d1c73885b14235e58aa4c2ceeed4657c8f2a78427fc963d9cf1e39dfc9336881d9855b142f7ec5c06fe118e6a3e144

  • SSDEEP

    6144:LYa6H6UvT9XdqN3S4bEMZBR8zWZcTeYE7BEbaT:LYh6UvDO3S4rZIr67BIaT

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      2fe572c4c7550b00993c0b9b344a65df.exe

    • Size

      364KB

    • MD5

      2fe572c4c7550b00993c0b9b344a65df

    • SHA1

      050979d9ebc2b777ddaf12c15b086da39f8bd472

    • SHA256

      2d83164d1358ec644bb36c5edd0c16e115510789fea78f6a009a5969a74cd9e9

    • SHA512

      76b646c346070f83832afda5442e0c5b54d1c73885b14235e58aa4c2ceeed4657c8f2a78427fc963d9cf1e39dfc9336881d9855b142f7ec5c06fe118e6a3e144

    • SSDEEP

      6144:LYa6H6UvT9XdqN3S4bEMZBR8zWZcTeYE7BEbaT:LYh6UvDO3S4rZIr67BIaT

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks