Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    POM21002942.doc

  • Size

    37KB

  • Sample

    230515-nsawesfb25

  • MD5

    46100be91814d075b6e93be8e2cb5a1c

  • SHA1

    7b41fb51d1d44a297070268ab446330c382f93bb

  • SHA256

    6085e92697eb1b9c14cec9928f37d92134d19c285098bda21f59e6c02723318f

  • SHA512

    6a4e839e932d5558a830eea6cfa00ea0a5b383d89b6c53bd1626f5b1b7b58823c39d7147e1cc7659345aec30c7d7536ab3804cc80db3728d5be14c6d55b5d9f9

  • SSDEEP

    768:xFx0XaIsnPRIa4fwJMfZloXe0qa/Dm5MlcVmtOOPXb0UT9fTT:xf0Xvx3EMfPoXe0qbzVmtOOPXb0U5TT

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      POM21002942.doc

    • Size

      37KB

    • MD5

      46100be91814d075b6e93be8e2cb5a1c

    • SHA1

      7b41fb51d1d44a297070268ab446330c382f93bb

    • SHA256

      6085e92697eb1b9c14cec9928f37d92134d19c285098bda21f59e6c02723318f

    • SHA512

      6a4e839e932d5558a830eea6cfa00ea0a5b383d89b6c53bd1626f5b1b7b58823c39d7147e1cc7659345aec30c7d7536ab3804cc80db3728d5be14c6d55b5d9f9

    • SSDEEP

      768:xFx0XaIsnPRIa4fwJMfZloXe0qa/Dm5MlcVmtOOPXb0UT9fTT:xf0Xvx3EMfPoXe0qbzVmtOOPXb0U5TT

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks