lockbit

General

Target

2023-04-23_415c3277868d9be6d62f6155352ba9fb_lockbit
Size

959KB
Sample

230426-ee2bsaeg94
MD5

415c3277868d9be6d62f6155352ba9fb
SHA1

0d919f9a52182dbea2bfae50fa9bd90bd933274e
SHA256

a95000278cb1a755177d270dcfbf214cb73b5a410408345a18ec51b628ff7efa
SHA512

f4dd1a399e3eac6fca2236cdbb830ed8d4600e57bcde888baff1d0d59e9bf7390773447abb07b82a424f21e220c3fa1c57cb8e715a06118e569c141d2ffce6ff
SSDEEP

24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdyF:Ujrc2So1Ff+B3k796U

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FE51279A28ABA9E1938F42D8261388D1

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: FE51279A28ABA9E1807B78C1786E7EE1

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Targets

- Target
  
  2023-04-23_415c3277868d9be6d62f6155352ba9fb_lockbit
- Size
  
  959KB
- MD5
  
  415c3277868d9be6d62f6155352ba9fb
- SHA1
  
  0d919f9a52182dbea2bfae50fa9bd90bd933274e
- SHA256
  
  a95000278cb1a755177d270dcfbf214cb73b5a410408345a18ec51b628ff7efa
- SHA512
  
  f4dd1a399e3eac6fca2236cdbb830ed8d4600e57bcde888baff1d0d59e9bf7390773447abb07b82a424f21e220c3fa1c57cb8e715a06118e569c141d2ffce6ff
- SSDEEP
  
  24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdyF:Ujrc2So1Ff+B3k796U
Score

10^/10

lockbit discovery persistence ransomware evasion
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2