Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    May New Order.doc

  • Size

    34KB

  • Sample

    230508-kcw7yabe3t

  • MD5

    b94ab0ff3e9e9f20e322a7571fcf041f

  • SHA1

    4b2cdbfb38262df6976f0ce23c8e5aa8a002e5a5

  • SHA256

    f24781001f198ec760cdf8805dc1fb123558d60d32e0cefbffe0a410f0519838

  • SHA512

    be1bbd1b09eef6e22c8f94294664d163ddc2874d2765ad0375615c202be669411432702dbff383ca403d2ad56d07ec2feb094f84f4e718a3e08897eb789e1bdb

  • SSDEEP

    768:lFx0XaIsnPRIa4fwJMTMIzsycs/2biGJyYlEFud:lf0Xvx3EMAIrcs/aJVkud

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/govonor/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      May New Order.doc

    • Size

      34KB

    • MD5

      b94ab0ff3e9e9f20e322a7571fcf041f

    • SHA1

      4b2cdbfb38262df6976f0ce23c8e5aa8a002e5a5

    • SHA256

      f24781001f198ec760cdf8805dc1fb123558d60d32e0cefbffe0a410f0519838

    • SHA512

      be1bbd1b09eef6e22c8f94294664d163ddc2874d2765ad0375615c202be669411432702dbff383ca403d2ad56d07ec2feb094f84f4e718a3e08897eb789e1bdb

    • SSDEEP

      768:lFx0XaIsnPRIa4fwJMTMIzsycs/2biGJyYlEFud:lf0Xvx3EMAIrcs/aJVkud

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks