Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ABDETYBF.exe

windows7-x64

10

ABDETYBF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2023, 03:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ABDETYBF.exe

  • Size

    783KB

  • MD5

    dd32fbe95047642376227127eaffe815

  • SHA1

    8d2c3539b0307816c4e0d447cb5b577cb6e15c07

  • SHA256

    e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8

  • SHA512

    97645a91ca1219a221ef60083adbbc07f4706030f5bc0669965fa3e53881c3422ae2aac0eb14d0dce7470ff7f06e2987d33bc7f1ee03aae93b34fa3ff81cdd49

  • SSDEEP

    24576:yNA3R5drXP0lV4LIqzSVq1r+w/URexTF2+:L5OZzAr+0UExB1

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe
    "C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
      "C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
      2⤵
      • Executes dropped EXE
      PID:2624
    • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
      "C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
        C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2128
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2784

Network

  • flag-us
    DNS
    fiorentcamcycle.redirectme.net
    Ahmetoiuv.exe
    Remote address:
    8.8.8.8:53
    Request
    fiorentcamcycle.redirectme.net
    IN A
    Response
    fiorentcamcycle.redirectme.net
    IN A
    193.42.32.242
  • flag-bg
    POST
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    Ahmetoiuv.exe
    Remote address:
    193.42.32.242:80
    Request
    POST /jzdgfsh/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: fiorentcamcycle.redirectme.net
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 75A7396A
    Content-Length: 374
    Connection: close
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx/1.10.3
    Date: Mon, 04 Sep 2023 03:55:45 GMT
    Content-Type: text/html
    Content-Length: 3695
    Connection: close
    ETag: "5cd12124-e6f"
  • flag-bg
    POST
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    Ahmetoiuv.exe
    Remote address:
    193.42.32.242:80
    Request
    POST /jzdgfsh/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: fiorentcamcycle.redirectme.net
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 75A7396A
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx/1.10.3
    Date: Mon, 04 Sep 2023 03:55:45 GMT
    Content-Type: text/html
    Content-Length: 3695
    Connection: close
    ETag: "5cd12124-e6f"
  • flag-bg
    POST
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    Ahmetoiuv.exe
    Remote address:
    193.42.32.242:80
    Request
    POST /jzdgfsh/Panel/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: fiorentcamcycle.redirectme.net
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 75A7396A
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx/1.10.3
    Date: Mon, 04 Sep 2023 03:55:45 GMT
    Content-Type: text/html
    Content-Length: 3695
    Connection: close
    ETag: "5cd12124-e6f"
  • 193.42.32.242:80
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    http
    Ahmetoiuv.exe
    959 B
     4.2kB
     7
    7

    HTTP Request

    POST http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php

    HTTP Response

    502
  • 193.42.32.242:80
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    http
    Ahmetoiuv.exe
    765 B
     4.2kB
     7
    7

    HTTP Request

    POST http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php

    HTTP Response

    502
  • 193.42.32.242:80
    http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php
    http
    Ahmetoiuv.exe
    738 B
     4.2kB
     7
    7

    HTTP Request

    POST http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php

    HTTP Response

    502
  • 8.8.8.8:53
    fiorentcamcycle.redirectme.net
    dns
    Ahmetoiuv.exe
    76 B
     92 B
     1
    1

    DNS Request

    fiorentcamcycle.redirectme.net

    DNS Response

    193.42.32.242

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AhmetOdem.jpg
    Filesize

    38KB

    MD5

    d012e63ffee27b2f473ec4b0e89080b8

    SHA1

    7e7f3d5b27ef2382ff287465d84f81c1092ef046

    SHA256

    6a5e42e58f2b883ca3a2055090649ed8e1af1e7b11bbde4d76d1bfaef3b7a625

    SHA512

    5586baefc85b71170ee224f819854bdb75756e3b22eb4f74f408054dd015db84444d119efa06d8651a8cd6b726ec0d0a442ce503b4caf602645cdfdc6295a414

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-686452656-3203474025-4140627569-1000\0f5007522459c86e95ffcc62f32308f1_a38c7804-2682-486a-9c4a-7df759db8800
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-686452656-3203474025-4140627569-1000\0f5007522459c86e95ffcc62f32308f1_a38c7804-2682-486a-9c4a-7df759db8800
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AhmetOdem.exe
    Filesize

    306KB

    MD5

    3ffae71fdf23a86018fdf1e1b846eb2d

    SHA1

    4d8aaffca026d3a0336d996c21ae392022fcb00c

    SHA256

    5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

    SHA512

    676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    Filesize

    293KB

    MD5

    39900a5f5037440f1380eb5efbdbd70d

    SHA1

    c661153d06c90c848694819095de0e57bc1bef25

    SHA256

    ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

    SHA512

    19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

    Download Submit

  • memory/2128-44-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2128-65-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2128-45-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2128-41-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2624-32-0x0000000000D90000-0x0000000000D92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2748-35-0x0000000074130000-0x000000007481E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2748-34-0x0000000000870000-0x00000000008C2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2748-37-0x0000000001F60000-0x0000000001FAA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2748-46-0x0000000074130000-0x000000007481E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2748-38-0x0000000004A30000-0x0000000004A70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2784-33-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2784-36-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-67-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.