Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3b7736009133ab2366038e6d9a3e0c2f.bin

  • Size

    887KB

  • Sample

    231029-bqk76aea9z

  • MD5

    a3746e1826910da25c308e9f8e98af08

  • SHA1

    1f61f4da6a7b9f3b0476bc8b8286a8c337a4146b

  • SHA256

    b4b3295665d45e9d187ab312a0e62dd3b80cc45b320274298f42f42bee22a6ee

  • SHA512

    9703081ff175996e3917b78bb2bcd130a5119476f609737b0168c577867b330cc9f85a49c97c0a7750c45d461a906d02eb84adbb20231c1914a80ed39d7a2914

  • SSDEEP

    12288:A8i8P+c0mjhqAGJ5YzPxxbyH0Q2zQbLxiNMecttR5CZb9IxUlxI6mgaqAHsAQj6E:AQPgTqzeH0NQbsNMeadCZbGUDTiqcGAC

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/a16/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      6fb30f4760c71e5dd852e73a34222a6fae6f44a0046d0f913e5bcb68ce514590.bin

    • Size

      1.1MB

    • MD5

      3b7736009133ab2366038e6d9a3e0c2f

    • SHA1

      ba1ccf6ca0888c15f6475bcac6e285cb479d8939

    • SHA256

      6fb30f4760c71e5dd852e73a34222a6fae6f44a0046d0f913e5bcb68ce514590

    • SHA512

      d0d5fa14eb9b797150d1e76e0017b9cda71fd235d3cbee2be246cbaa480ad3d07f3ff6557a2b9a688526ebea478e614983f5545cef987ed3ed562d89f476b80f

    • SSDEEP

      24576:wxBXZyrw6/2THaZylw6/90U++g4JRuJngtQETYRMO+4yi0CLnsd7UNl:UF6/ek76/+UBg4TUngtzTUGFCDkC

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks