Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SHIPPING UPDATE.xls

  • Size

    1.4MB

  • Sample

    231003-gw2d8age9t

  • MD5

    19202ef8b0f4d1536e4bf40e0246a2ec

  • SHA1

    1e570dea25b0f41bddf2d3e4b5fa887cc6f08a0e

  • SHA256

    e743cf899576503ecd96fdd01f5f8b6775a681e6eaff832b602ea04872fe1e4a

  • SHA512

    65a211c821828380fefd127690330c3fd6600f4bb9230aae3e9e1ad335804f4dfbe5c48bbe3b5c8c7bbb3b2afc3e04fcb977d8973e4276472ba24683140b22d9

  • SSDEEP

    24576:xWQmmav30xSZyMw6VzAXZSp4Zybw6Vn+6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXX2:AQmmQ30686VwEIf6V+6YxxDfIK27/

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/a14/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SHIPPING UPDATE.xls

    • Size

      1.4MB

    • MD5

      19202ef8b0f4d1536e4bf40e0246a2ec

    • SHA1

      1e570dea25b0f41bddf2d3e4b5fa887cc6f08a0e

    • SHA256

      e743cf899576503ecd96fdd01f5f8b6775a681e6eaff832b602ea04872fe1e4a

    • SHA512

      65a211c821828380fefd127690330c3fd6600f4bb9230aae3e9e1ad335804f4dfbe5c48bbe3b5c8c7bbb3b2afc3e04fcb977d8973e4276472ba24683140b22d9

    • SSDEEP

      24576:xWQmmav30xSZyMw6VzAXZSp4Zybw6Vn+6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXX2:AQmmQ30686VwEIf6V+6YxxDfIK27/

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v15

Tasks