General

  • Target

    RLOI JS01-2.exe

  • Size

    370KB

  • Sample

    221005-asbwtschh2

  • MD5

    82773c3d9fe4c2aecf34451f482e29c4

  • SHA1

    6051b7f6a267911b4536c8c467b7237ccfd0cece

  • SHA256

    c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd

  • SHA512

    e7c9eb748f5f1531273475afd563dd6e7da3a1731f7835d0b3b613675aa9065539f00fb320fe121f1999d012b4e7c9a9c220868e09533331b8d4dd0e0953a016

  • SSDEEP

    6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/cr+GM3qnWEbhGi:lToPWBv/cpGrU3y8tGclMreX

Malware Config

Targets

    • Target

      RLOI JS01-2.exe

    • Size

      370KB

    • MD5

      82773c3d9fe4c2aecf34451f482e29c4

    • SHA1

      6051b7f6a267911b4536c8c467b7237ccfd0cece

    • SHA256

      c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd

    • SHA512

      e7c9eb748f5f1531273475afd563dd6e7da3a1731f7835d0b3b613675aa9065539f00fb320fe121f1999d012b4e7c9a9c220868e09533331b8d4dd0e0953a016

    • SSDEEP

      6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/cr+GM3qnWEbhGi:lToPWBv/cpGrU3y8tGclMreX

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks