Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    CI + PL.xls

  • Size

    1.4MB

  • Sample

    230714-hkshlsce34

  • MD5

    22cbe162d221d7ab2ae7e185a38cd432

  • SHA1

    6ee5a4da46169acb591f3572dfe8347afd2a937d

  • SHA256

    81eb9a9c2bd5612d7e67a5dccae5a52cd02fa933d59eafbb2f318d7f79dce601

  • SHA512

    4dacf9de7dbe2cc352039acb18768619707c5b7e2c96f4843156e204a32bec4ec986fedc484a446364decec7773bdfbb3e0d8519e2293237f18454da4ecef074

  • SSDEEP

    24576:5+u9VNZylw6VfOZydw6VleHBlEzp7uOR0bgcwyA52hcP5YwVux:5+uPR6VfY96V8hOzWgjy+P5Yj

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/mous/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      CI + PL.xls

    • Size

      1.4MB

    • MD5

      22cbe162d221d7ab2ae7e185a38cd432

    • SHA1

      6ee5a4da46169acb591f3572dfe8347afd2a937d

    • SHA256

      81eb9a9c2bd5612d7e67a5dccae5a52cd02fa933d59eafbb2f318d7f79dce601

    • SHA512

      4dacf9de7dbe2cc352039acb18768619707c5b7e2c96f4843156e204a32bec4ec986fedc484a446364decec7773bdfbb3e0d8519e2293237f18454da4ecef074

    • SSDEEP

      24576:5+u9VNZylw6VfOZydw6VleHBlEzp7uOR0bgcwyA52hcP5YwVux:5+uPR6VfY96V8hOzWgjy+P5Yj

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks