Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
288s -
max time network
291s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/12/2024, 10:40 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Stealer.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Stealer/Azorult.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Stealer/Lokibot.exe
-
Size
300KB
-
MD5
f52fbb02ac0666cae74fc389b1844e98
-
SHA1
f7721d590770e2076e64f148a4ba1241404996b8
-
SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
-
SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
SSDEEP
3072:bGSHTJKB/DA8SBV7Nr6JD6u8w/CpLmrCpLmlrudATPTVWZV5wx3nu9B6jFdnp:bGSzYBchvEJD6LpZj+PTa7wx36AjX
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral3/memory/2152-2-0x0000000000B90000-0x0000000000BA4000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2152 set thread context of 1676 2152 Lokibot.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2152 Lokibot.exe 2152 Lokibot.exe 2152 Lokibot.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1676 Lokibot.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2152 Lokibot.exe Token: SeDebugPrivilege 4088 taskmgr.exe Token: SeSystemProfilePrivilege 4088 taskmgr.exe Token: SeCreateGlobalPrivilege 4088 taskmgr.exe Token: 33 4088 taskmgr.exe Token: SeIncBasePriorityPrivilege 4088 taskmgr.exe Token: SeDebugPrivilege 1676 Lokibot.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe 4088 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 PID 2152 wrote to memory of 1676 2152 Lokibot.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1676
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4088
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcheckappexec.microsoft.comIN AResponsecheckappexec.microsoft.comIN CNAMEprod-atm-wds-apprep.trafficmanager.netprod-atm-wds-apprep.trafficmanager.netIN CNAMEprod-agic-us-2.uksouth.cloudapp.azure.comprod-agic-us-2.uksouth.cloudapp.azure.comIN A172.165.69.228
-
Remote address:8.8.8.8:53Requestcheckappexec.microsoft.comIN A
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:172.165.69.228:443RequestPOST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoiaFREa0VKWUdEcmc9Iiwia2V5IjoiMjYyQzhZcWNIcHNuN25qTXk1YkE1dz09In0=
content-length: 1161
content-type: application/json; charset=utf-8
cache-control: no-cache
ResponseHTTP/2.0 200
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:7f05e9f0-1fe6-401c-8ae7-2478e40e2f1e
-
Remote address:8.8.8.8:53Request228.69.165.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestblesblochem.comIN AResponseblesblochem.comIN A34.227.7.138
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 358
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:41:57 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=ab7153bb28611a85b7b7c3d1836adf82|181.215.176.83|1733481717|1733481717|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 180
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:41:57 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=191c3634b1b2f428da7299b333e41e95|181.215.176.83|1733481717|1733481717|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 153
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:41:57 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=51e4ad8abf7611d6ab8211984f1545ed|181.215.176.83|1733481717|1733481717|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request138.7.227.34.in-addr.arpaIN PTRResponse138.7.227.34.in-addr.arpaIN PTRec2-34-227-7-138 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request134.130.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 153
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:42:58 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=5d6181cb494f21f506aec812be28b6b5|181.215.176.83|1733481778|1733481778|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 153
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:43:58 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=c6c05d2ce5d558d51b01a3a79b39e860|181.215.176.83|1733481838|1733481838|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 153
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:44:58 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=f2e7f5f567199e0ec7db9e3c619c9748|181.215.176.83|1733481898|1733481898|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:34.227.7.138:80RequestPOST /two/gates1/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: blesblochem.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 210DDB56
Content-Length: 153
Connection: close
ResponseHTTP/1.1 200 OK
Date: Fri, 06 Dec 2024 10:45:59 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=f0ee7c30c3475acb5efaf269de44d93d|181.215.176.83|1733481959|1733481959|0|1|0; path=/; domain=.blesblochem.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
4.4kB 9.8kB 25 21
HTTP Request
POST https://checkappexec.microsoft.com/windows/shell/actionsHTTP Response
200 -
874 B 638 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
696 B 630 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
669 B 630 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
669 B 630 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
669 B 630 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
623 B 630 B 5 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200 -
669 B 630 B 6 6
HTTP Request
POST http://blesblochem.com/two/gates1/fre.phpHTTP Response
200
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
144 B 192 B 2 1
DNS Request
checkappexec.microsoft.com
DNS Request
checkappexec.microsoft.com
DNS Response
172.165.69.228
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.69.165.172.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
blesblochem.com
DNS Response
34.227.7.138
-
71 B 125 B 1 1
DNS Request
138.7.227.34.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
134.130.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1263212995-3575756360-1418101905-1000\0f5007522459c86e95ffcc62f32308f1_a8fd9071-ac9a-4bc7-aeb7-af97375ffbf1
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1263212995-3575756360-1418101905-1000\0f5007522459c86e95ffcc62f32308f1_a8fd9071-ac9a-4bc7-aeb7-af97375ffbf1
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61