lockbit | Lockbit 3[.]0[.]rar[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Lockbit 3.0.rar.zip
Size

3.2MB
MD5

c5e2532b405a4042168d82803507102e
SHA1

ae5e8e18c67737b45237a76cdba67b399867de15
SHA256

8d12c959668c4d97a81a341550abac548c7abff782899ff125f408c9d0080176
SHA512

6bb5c6cd58724adb4a8d48f0f6284a37918d6035a270f4d328dd3cb1bb853e42d52f3c239e7b8177d58ebde96286d64d922e9da0692e286355dfa51410c23360
SSDEEP

98304:6PtZDQwGb76CdY/t0oPHZchp/zAqzFJVIbP:6lhQLuCdYbvZchp/zAqzFJibP

Score

10^/10

pdf link lockbit blackmatter

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

Blackmatter family
blackmatter
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
static1/unpack003/LockBit-main/builder.exe	family_lockbit

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
static1/unpack006/Lockbit-Black-3.0-main/Threat Spotlight Lockbit Black 3.0 Ransomware.pdf	pdf_with_link_action

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack003/LockBit-main/builder.exe
unpack003/LockBit-main/keygen.exe

Files

Lockbit 3.0.rar.zip
.zip

Password: infected
Lockbit 3.0.rar
.rar .zip polyglot

Password: infected
LockBit-main.zip
.zip

Password: infected
LockBit-main/Build.bat
LockBit-main/README.md
.vbs
LockBit-main/builder.exe
.exe windows:5 windows x86 arch:x86

Password: infected

d2e26e45dcb84f1062f90f29a9cf0faa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

MessageBoxW

kernel32

LoadResource
WriteFile
CreateFileW
ExitProcess
FindResourceW
GetCommandLineW
GetFileSize
GetModuleHandleW
GlobalFree
SizeofResource
LockResource
ReadFile

shell32

CommandLineToArgvW

msvcrt

_wcsicmp
memcpy
memset
sprintf
strchr
strcpy
strlen
strstr
wcscat
wcscpy
wcslen
wcsrchr
localeconv
_stricmp
_strcmpi
tolower
realloc
malloc
free
strtod
strncmp

imagehlp

CheckSumMappedFile

ntdll

RtlFreeHeap
RtlAllocateHeap
NtClose
RtlImageNtHeader

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 438KB - Virtual size: 438KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
LockBit-main/config.json
LockBit-main/keygen.exe
.exe windows:5 windows x86 arch:x86

Password: infected

73eeda700d0a0376845c61c44155f4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

wsprintfA

kernel32

GetCurrentDirectoryW
WriteFile
CloseHandle
CreateFileW
ExitProcess
GetCommandLineW
GlobalFree
SetCurrentDirectoryW

shell32

CommandLineToArgvW

msvcrt

_wcsicmp
memcpy
memset
free
fputc
exit
calloc

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Lockbit-Black-3.0-main.zip
.zip

Password: infected
Lockbit-Black-3.0-main/LICENSE
Lockbit-Black-3.0-main/README.md
Lockbit-Black-3.0-main/Threat Spotlight Lockbit Black 3.0 Ransomware.pdf
.pdf
Password: infected
- https://twitter.com/vxunderground/status/1543661557883740161
- https://twitter.com/WhichbufferArda/status/1543669679637553158
- https://www.cisa.gov/uscert/ncas/alerts/AA19-168A
- https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/
- https://github.com/OALabs/hashdb
- https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/HLJkNskOq.README.txt
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://attack.mitre.org/techniques/T1078/
- https://attack.mitre.org/techniques/T1190/
- https://attack.mitre.org/techniques/T1133/
- https://attack.mitre.org/tactics/TA0005/
- https://attack.mitre.org/techniques/T1562/001/
- https://attack.mitre.org/techniques/T1070/
- https://attack.mitre.org/techniques/T1027/
- https://attack.mitre.org/tactics/TA0040/
- https://attack.mitre.org/techniques/T1486/
- https://attack.mitre.org/techniques/T1489/
- https://attack.mitre.org/tactics/TA0010/
- https://attack.mitre.org/techniques/T1567/002/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit
- https://yaraify.abuse.ch/yarahub/rule/RANSOM_Lockbit_Black_Packer/
- https://yaraify.abuse.ch/yarahub/rule/LockbitBlack_Loader/
- http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
- http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
- http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
- http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
- http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
- http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
- http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
- http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
- http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
- http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
- http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
- http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
- http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
- http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
- http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
- http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
- http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
- http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
- http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
- http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
- http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
- http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
- http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
- http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
- http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
- http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
- http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
- Show all
Lockbit-Black-3.0-main/{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.zip
.zip

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

Password: infected

Password: infected

d2e26e45dcb84f1062f90f29a9cf0faa

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

shell32

msvcrt

imagehlp

ntdll

Sections

.text Size: 20KB - Virtual size: 19KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 8KB - Virtual size: 7KB

.rsrc Size: 438KB - Virtual size: 438KB

Password: infected

73eeda700d0a0376845c61c44155f4a8

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

shell32

msvcrt

Sections

.text Size: 26KB - Virtual size: 25KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 2KB

Password: infected

Password: infected

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 438KB - Virtual size: 438KB

.text
Size: 26KB - Virtual size: 25KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 2KB