Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3825efd5fc...18.exe

windows7-x64

10

3825efd5fc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3825efd5fcbdde5bd2a250c08d335c91_JaffaCakes118

  • Size

    512KB

  • Sample

    240512-elfcwsag33

  • MD5

    3825efd5fcbdde5bd2a250c08d335c91

  • SHA1

    8337c955226c5568fb81a5cba795ddb34b86ce77

  • SHA256

    782b974af31ff9999e5449f9a675ea18d97d26456a277327b1e492c539e14ece

  • SHA512

    caa5274799517e73e96f1ffd089a7797f9fda4b5df34a9ba634fb13bc685ab68733c80594a01d239490d9768f4e7f9ac88f8be24dc540a0032b8657d53cc2c36

  • SSDEEP

    3072:Z9VkLyI8bS7A7WGAXLKEHpImmRxOt47AEsEUgOqWr6:fWN8bS7rjXWEJImmRQ27ADE

Score
10/10
lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://rijadeja.online//wp-admin/lang/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

brioushde.sytes.net:1982

Attributes
  • activex_autorun

    true

  • activex_key

    {54Q7I7SW-LW5J-T8RK-0CO4-V2U623687CI6}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    MPkcWYro

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Targets

    • Target

      3825efd5fcbdde5bd2a250c08d335c91_JaffaCakes118

    • Size

      512KB

    • MD5

      3825efd5fcbdde5bd2a250c08d335c91

    • SHA1

      8337c955226c5568fb81a5cba795ddb34b86ce77

    • SHA256

      782b974af31ff9999e5449f9a675ea18d97d26456a277327b1e492c539e14ece

    • SHA512

      caa5274799517e73e96f1ffd089a7797f9fda4b5df34a9ba634fb13bc685ab68733c80594a01d239490d9768f4e7f9ac88f8be24dc540a0032b8657d53cc2c36

    • SSDEEP

      3072:Z9VkLyI8bS7A7WGAXLKEHpImmRxOt47AEsEUgOqWr6:fWN8bS7rjXWEJImmRQ27ADE

    Score
    10/10
    lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.