Resubmissions
11-03-2024 18:04
240311-wnnwgscb67 10Behavioral task
behavioral1
Sample
LockBit-V3.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
LockBit-V3.zip
Resource
win10v2004-20240226-en
General
-
Target
LockBit-V3.zip
-
Size
293KB
-
MD5
f35c9e87f63d3f8d4db5b1a01a14e464
-
SHA1
7fd87ed64dbb2780b5deccc0a9d138b3b9402e8b
-
SHA256
4dfa2dcbcfe39550255fcf5daaa4ee3b74e7ea3a32666c91c100fb6b8508544b
-
SHA512
04d8f57d6a592d30b3af8ee96ed2480a2b594b25a37b500613a06aee994705045140ed6f4152c97f17e935122003d45d6ae64fad668a08cf7e6438f48e3167e3
-
SSDEEP
6144:50gWKhB5TA1yAmI28MqQoZNTelXsxRw5Bp0i49h/t1uDcMxDM074:50gWw5rA08MLCeG/i49JEcUE
Malware Config
Extracted
blackmatter
25.239
Signatures
-
Blackmatter family
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule static1/unpack001/builder.exe family_lockbit -
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack001/builder.exe unpack001/keygen.exe
Files
-
LockBit-V3.zip.zip
Password: infected
-
Build.bat
-
builder.exe.exe windows:5 windows x86 arch:x86
d2e26e45dcb84f1062f90f29a9cf0faa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
user32
MessageBoxW
kernel32
LoadResource
WriteFile
CreateFileW
ExitProcess
FindResourceW
GetCommandLineW
GetFileSize
GetModuleHandleW
GlobalFree
SizeofResource
LockResource
ReadFile
shell32
CommandLineToArgvW
msvcrt
_wcsicmp
memcpy
memset
sprintf
strchr
strcpy
strlen
strstr
wcscat
wcscpy
wcslen
wcsrchr
localeconv
_stricmp
_strcmpi
tolower
realloc
malloc
free
strtod
strncmp
imagehlp
CheckSumMappedFile
ntdll
RtlFreeHeap
RtlAllocateHeap
NtClose
RtlImageNtHeader
Sections
.text Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 438KB - Virtual size: 438KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
config.json
-
keygen.exe.exe windows:5 windows x86 arch:x86
73eeda700d0a0376845c61c44155f4a8
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
user32
wsprintfA
kernel32
GetCurrentDirectoryW
WriteFile
CloseHandle
CreateFileW
ExitProcess
GetCommandLineW
GlobalFree
SetCurrentDirectoryW
shell32
CommandLineToArgvW
msvcrt
_wcsicmp
memcpy
memset
free
fputc
exit
calloc
Sections
.text Size: 26KB - Virtual size: 25KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
-
macro.vbs.vbs