Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    AWB - 8488476883.zip

  • Size

    464KB

  • Sample

    230717-gyq19sbb7y

  • MD5

    646db35642c7b5979782e9ddc512a3c8

  • SHA1

    01045b320a40a69058a4f33fd5ab9e09650732fa

  • SHA256

    e06308bce08457e094478bfb50c3c34e53a46b6272f413e3246bd70117683fc7

  • SHA512

    9f9da5872b7e0df081e9b383e9e44066d5b7b6bfa0f52af8b04abdcaaaae466bfdb2732a55185dfade7ff65535ca33e3ab8d9b236d66b31cd2d0bfdc9879c42e

  • SSDEEP

    12288:eVUNCoV6ql0Vw4hvRfuKvN6aLgac6xRetGJ6Ejcmhc:RvkNhtuKv4WetGJNNc

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/ugopounds/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      AWB - 8488476883.exe

    • Size

      569KB

    • MD5

      22e17c46c749a753fd6fd732c1a72400

    • SHA1

      f1596e0411eab8890ce8589467a290a2a135a49b

    • SHA256

      361fa480921081dee06a974b2d53bab2ae571d2f64e57485ce62f541723ed644

    • SHA512

      3f844fef0d174ac20799629df28bcd2e99c2c1262780628a8d919e9237e84765c48f77ef4d1ce259245271b188f1e285ecde5ddebe881fe98e55ff1bd1ccd6b8

    • SSDEEP

      12288:RDp88rNSoVmakaSjF1TO61KfE3fv/Ra9ZG17O8eVSHcgeReFRbE5K:Q8RFSjFV5KcvvIK18S5EeFtE5K

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks