Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9e35a4beee0d3b8df0920fd5f3f9eb6e_JaffaCakes118

  • Size

    782KB

  • Sample

    240611-pvtxraxblb

  • MD5

    9e35a4beee0d3b8df0920fd5f3f9eb6e

  • SHA1

    e6b0a224db2649252a275d8423df0f4f9416fb17

  • SHA256

    0b5f2f86aa2c8593c911b7ba83009e92dca66f466649481a110672c53c6f1183

  • SHA512

    d83992d21d0ceaa7efb9832336a4a8d76265a111de88de6039c7b3216787531e5e16a2612ca0b6c2fda2b328b20b9d8e84260d7f950c40c84779a3e734f86d93

  • SSDEEP

    24576:sLqkmNQ23cx0PK6WHLqkmNQ23cx0PK6W:duQnuQ

Malware Config

Extracted

Family

lokibot

C2

http://pasc.nextlevlcourier.com/herold/ltelsd/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      9e35a4beee0d3b8df0920fd5f3f9eb6e_JaffaCakes118

    • Size

      782KB

    • MD5

      9e35a4beee0d3b8df0920fd5f3f9eb6e

    • SHA1

      e6b0a224db2649252a275d8423df0f4f9416fb17

    • SHA256

      0b5f2f86aa2c8593c911b7ba83009e92dca66f466649481a110672c53c6f1183

    • SHA512

      d83992d21d0ceaa7efb9832336a4a8d76265a111de88de6039c7b3216787531e5e16a2612ca0b6c2fda2b328b20b9d8e84260d7f950c40c84779a3e734f86d93

    • SSDEEP

      24576:sLqkmNQ23cx0PK6WHLqkmNQ23cx0PK6W:duQnuQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks