Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ee6851f7c64b5d019791616cc442f6e0.rtf

  • Size

    23KB

  • Sample

    230512-bgm1dsdd81

  • MD5

    ee6851f7c64b5d019791616cc442f6e0

  • SHA1

    72af3b772764ba00ceee26e48915dd800365c386

  • SHA256

    7f33703ff5f3e826d4209149419211632cb3fc6599bee182fcbb7fd225e64ab8

  • SHA512

    d7a2221aec0d367e958342f50dc7b87d2e843ac32d92b25e642d9e607e00117d9bd8159d71f5b3405c713385a87398d788c480ffcaa4ea031dd2fb1aa070f91b

  • SSDEEP

    384:bIufFIHAYQiQixve/9xujA152GUxm/JmVAi2k9uVcdOD5T8JX5QsR7oF5QEE2:bFtIHAcQixve/9xujAD2bxm/JsJ5R7ob

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/mancho/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ee6851f7c64b5d019791616cc442f6e0.rtf

    • Size

      23KB

    • MD5

      ee6851f7c64b5d019791616cc442f6e0

    • SHA1

      72af3b772764ba00ceee26e48915dd800365c386

    • SHA256

      7f33703ff5f3e826d4209149419211632cb3fc6599bee182fcbb7fd225e64ab8

    • SHA512

      d7a2221aec0d367e958342f50dc7b87d2e843ac32d92b25e642d9e607e00117d9bd8159d71f5b3405c713385a87398d788c480ffcaa4ea031dd2fb1aa070f91b

    • SSDEEP

      384:bIufFIHAYQiQixve/9xujA152GUxm/JmVAi2k9uVcdOD5T8JX5QsR7oF5QEE2:bFtIHAcQixve/9xujAD2bxm/JsJ5R7ob

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks