Behavioral task
behavioral1
Sample
08642599.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08642599.exe
Resource
win10v2004-20230220-en
General
-
Target
08642599.bin
-
Size
469KB
-
MD5
c2bc344f6dde0573ea9acdfb6698bf4c
-
SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
-
SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
-
SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0
-
SSDEEP
12288:CzVXpdg/1MB94JD7RfaVT1hG98P67PNV3giFH6J1VjR3L6dpbQrQyEpInmwuRUfB:CzxjgdRpBq1hG98P67PNV3giFH6J1Vjn
Malware Config
Extracted
blackmatter
25.239
Signatures
-
Blackmatter family
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule sample family_lockbit -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 08642599.bin
Files
-
08642599.bin.exe windows x86
d2e26e45dcb84f1062f90f29a9cf0faa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
user32
MessageBoxW
kernel32
LoadResource
WriteFile
CreateFileW
ExitProcess
FindResourceW
GetCommandLineW
GetFileSize
GetModuleHandleW
GlobalFree
SizeofResource
LockResource
ReadFile
shell32
CommandLineToArgvW
msvcrt
_wcsicmp
memcpy
memset
sprintf
strchr
strcpy
strlen
strstr
wcscat
wcscpy
wcslen
wcsrchr
localeconv
_stricmp
_strcmpi
tolower
realloc
malloc
free
strtod
strncmp
imagehlp
CheckSumMappedFile
ntdll
RtlFreeHeap
RtlAllocateHeap
NtClose
RtlImageNtHeader
Sections
.text Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 438KB - Virtual size: 438KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ