lockbit | 7863e4bbb47ce09dc7fb0616d11abeb6[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

7863e4bbb47ce09dc7fb0616d11abeb6.bin
Size

886KB
MD5

7863e4bbb47ce09dc7fb0616d11abeb6
SHA1

f709bf15fc59f01023920356ec2edae2d29b5be1
SHA256

b094665ec4cdca6d8e9b9f63d8d71b1b9263eda12f1fdd1d8aa820dbf4c231f6
SHA512

222464fbbdbf6e02e7f72b84d305f11041c7513d63e085870bb528a43d6c647546f50bf4cfc3f498c2808910ce9d8bacc89d3a466c3576ee8aebc6aeee13b024
SSDEEP

12288:zwIQcvpnYgqqkl+138+2S7caa6Fo9qfkwSqKH0XPkNBIVDhyT40/k+9qkRkmFFbX:xRnUl2LtHFoLc5XPkN+VQQkR9Jb8cA7q

Score

10^/10

lockbit blackmatter

Malware Config

Extracted

Family

blackmatter

Version

65.239

Signatures

Blackmatter family
blackmatter
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 4 IoCs

Processes:

resource	yara_rule
static1/unpack001/Build/LB3.exe	family_lockbit
static1/unpack001/Build/LB3_Rundll32_pass.dll	family_lockbit
static1/unpack001/Build/LB3_pass.exe	family_lockbit
static1/unpack001/builder.exe	family_lockbit

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/Build/LB3.exe
unpack001/Build/LB3Decryptor.exe
unpack001/Build/LB3_ReflectiveDll_DllMain.dll
unpack001/Build/LB3_Rundll32.dll
unpack001/Build/LB3_Rundll32_pass.dll
unpack001/Build/LB3_pass.exe
unpack001/builder.exe
unpack001/keygen.exe

Files

7863e4bbb47ce09dc7fb0616d11abeb6.bin
.zip

Password: infected
Build.bat
Build/DECRYPTION_ID.txt
Build/LB3.exe
.exe windows:5 windows x86 arch:x86

Password: infected

41fb8cb2943df6de998b35a9d28668e8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

gdi32

SetPixel
SetDCBrushColor
SelectPalette
GetTextColor
GetDeviceCaps
CreateSolidBrush

user32

DefWindowProcW
CreateMenu
EndDialog
GetDlgItem
GetKeyNameTextW
GetMessageW
GetWindowTextW
IsDlgButtonChecked
LoadImageW
LoadMenuW
DialogBoxParamW

kernel32

SetLastError
LoadLibraryW
GetTickCount
GetLastError
GetCommandLineW
GetCommandLineA
FreeLibrary

Sections

.text
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Build/LB3Decryptor.exe
.exe windows:5 windows x86 arch:x86

Password: infected

4585cfc85e0cd554d6b5d4bf1bb3d5e4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

EnableWindow
DialogBoxParamW
SetDlgItemInt
SetSysColors
SetTimer
SetWindowPos
SetWindowTextW
SystemParametersInfoW
EndDialog
SendMessageW
MessageBoxW
LoadIconW
KillTimer
GetDlgItem

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
WaitForMultipleObjects
Sleep
SetThreadPriority
SetFilePointerEx
CloseHandle
CreateFileW
CreateIoCompletionPort
CreateThread
DeleteFileW
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlushConsoleInputBuffer
GetCommandLineW
GetConsoleWindow
GetDriveTypeW
GetExitCodeThread
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetLogicalDriveStringsW
GetModuleHandleW
GetProcAddress
GetQueuedCompletionStatus
GetStdHandle
GlobalFree
HeapSetInformation
InterlockedIncrement
IsBadReadPtr
MoveFileExW
PostQueuedCompletionStatus
ReadFile
ResumeThread
SetConsoleTextAttribute
SetConsoleTitleW
SetEndOfFile
SetFileAttributesW

comctl32

InitCommonControls

shell32

SHGetSpecialFolderPathW
CommandLineToArgvW
SHChangeNotify
DragQueryFileW

msvcrt

wcslen
wcsrchr
_getch
_kbhit
_wcsicmp
memcpy
memmove
memset
swprintf
wcscat
wcscpy

advapi32

MD5Update
MD5Init
MD5Final
ConvertSidToStringSidW
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW

ntdll

RtlDeleteCriticalSection
RtlDestroyHeap
RtlCreateHeap
RtlFreeHeap
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlReAllocateHeap
NtClose
RtlAllocateHeap
RtlAdjustPrivilege
NtTerminateThread
NtSetInformationThread
NtSetInformationProcess
NtQuerySystemInformation
NtQueryInformationToken
NtOpenProcessToken
NtOpenProcess
NtDuplicateToken
RtlEnterCriticalSection

shlwapi

PathFindFileNameW
PathIsDirectoryEmptyW
PathFindExtensionW
PathFileExistsW
PathIsNetworkPathW
PathIsDirectoryW
PathRemoveFileSpecW
PathAppendW

mpr

WNetAddConnection2W
WNetGetUniversalNameW

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Build/LB3_ReflectiveDll_DllMain.dll
.dll windows:5 windows x86 arch:x86

Password: infected

b1826e7d9522633dc1f4953f25424ce3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

gdi32

CreateDIBitmap
TextOutW
SetTextColor
SetDCBrushColor
GetTextColor
GetTextCharset
GetPixel
BitBlt

user32

CreateDialogParamW
CreateWindowExW
DialogBoxParamW
GetDlgItem
GetDlgItemTextW
GetKeyNameTextW
LoadImageW

kernel32

GetTickCount
SetLastError
LoadLibraryW
LoadLibraryExA
GetFileAttributesW
GetProcAddress
GetModuleHandleW
GetLastError

Sections

.text
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Build/LB3_Rundll32.dll
.dll windows:5 windows x86 arch:x86

Password: infected

b750c147c0bcc8b349e4f1143ac1432e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

gdi32

GetDeviceCaps
SetTextColor
SetPixel
SetDCBrushColor
GetTextMetricsW
GetTextCharset
CreateDIBitmap

user32

CreateMenu
DialogBoxParamW
GetDlgItemTextW
IsDlgButtonChecked

kernel32

GetTickCount
GetProcAddress
GetModuleHandleA
GetLastError
GetCommandLineW
GetCommandLineA
FreeLibrary

Exports

Exports

del
gdel
gdll
gmod
pmod
sdll
wdll

Sections

.text
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Build/LB3_Rundll32_pass.dll
.dll windows:5 windows x86 arch:x86

Password: infected

b750c147c0bcc8b349e4f1143ac1432e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

gdi32

GetDeviceCaps
SetTextColor
SetPixel
SetDCBrushColor
GetTextMetricsW
GetTextCharset
CreateDIBitmap

user32

CreateMenu
DialogBoxParamW
GetDlgItemTextW
IsDlgButtonChecked

kernel32

GetTickCount
GetProcAddress
GetModuleHandleA
GetLastError
GetCommandLineW
GetCommandLineA
FreeLibrary

Exports

Exports

del
gdel
gdll
gmod
pmod
sdll
wdll

Sections

.text
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.itext
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Build/LB3_pass.exe
.exe windows:5 windows x86 arch:x86

Password: infected

41fb8cb2943df6de998b35a9d28668e8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

gdi32

SetPixel
SetDCBrushColor
SelectPalette
GetTextColor
GetDeviceCaps
CreateSolidBrush

user32

DefWindowProcW
CreateMenu
EndDialog
GetDlgItem
GetKeyNameTextW
GetMessageW
GetWindowTextW
IsDlgButtonChecked
LoadImageW
LoadMenuW
DialogBoxParamW

kernel32

SetLastError
LoadLibraryW
GetTickCount
GetLastError
GetCommandLineW
GetCommandLineA
FreeLibrary

Sections

.text
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.itext
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Build/Password_dll.txt
Build/Password_exe.txt
Build/priv.key
Build/pub.key
builder.exe
.exe windows:5 windows x86 arch:x86

Password: infected

d2e26e45dcb84f1062f90f29a9cf0faa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

MessageBoxW

kernel32

LoadResource
WriteFile
CreateFileW
ExitProcess
FindResourceW
GetCommandLineW
GetFileSize
GetModuleHandleW
GlobalFree
SizeofResource
LockResource
ReadFile

shell32

CommandLineToArgvW

msvcrt

_wcsicmp
memcpy
memset
sprintf
strchr
strcpy
strlen
strstr
wcscat
wcscpy
wcslen
wcsrchr
localeconv
_stricmp
_strcmpi
tolower
realloc
malloc
free
strtod
strncmp

imagehlp

CheckSumMappedFile

ntdll

RtlFreeHeap
RtlAllocateHeap
NtClose
RtlImageNtHeader

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 439KB - Virtual size: 438KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
config.json
keygen.exe
.exe windows:5 windows x86 arch:x86

Password: infected

73eeda700d0a0376845c61c44155f4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

wsprintfA

kernel32

GetCurrentDirectoryW
WriteFile
CloseHandle
CreateFileW
ExitProcess
GetCommandLineW
GlobalFree
SetCurrentDirectoryW

shell32

CommandLineToArgvW

msvcrt

_wcsicmp
memcpy
memset
free
fputc
exit
calloc

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

41fb8cb2943df6de998b35a9d28668e8

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

kernel32

Sections

.text Size: 95KB - Virtual size: 95KB

.itext Size: 1KB - Virtual size: 1KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 40KB - Virtual size: 43KB

.pdata Size: 10KB - Virtual size: 9KB

.reloc Size: 4KB - Virtual size: 3KB

Password: infected

4585cfc85e0cd554d6b5d4bf1bb3d5e4

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

comctl32

shell32

msvcrt

advapi32

ntdll

shlwapi

mpr

Sections

.text Size: 17KB - Virtual size: 16KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 2KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 22KB - Virtual size: 21KB

.reloc Size: 1024B - Virtual size: 792B

Password: infected

b1826e7d9522633dc1f4953f25424ce3

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

kernel32

Sections

.text Size: 68KB - Virtual size: 68KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 23KB - Virtual size: 24KB

.pdata Size: 10KB - Virtual size: 9KB

.reloc Size: 3KB - Virtual size: 2KB

Password: infected

b750c147c0bcc8b349e4f1143ac1432e

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

kernel32

Exports

Exports

Sections

.text Size: 93KB - Virtual size: 93KB

.itext Size: 2KB - Virtual size: 1KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 40KB - Virtual size: 43KB

.pdata Size: 10KB - Virtual size: 9KB

.reloc Size: 4KB - Virtual size: 3KB

Password: infected

b750c147c0bcc8b349e4f1143ac1432e

.text
Size: 95KB - Virtual size: 95KB

.itext
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 40KB - Virtual size: 43KB

.pdata
Size: 10KB - Virtual size: 9KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 17KB - Virtual size: 16KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 2KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 22KB - Virtual size: 21KB

.reloc
Size: 1024B - Virtual size: 792B

.text
Size: 68KB - Virtual size: 68KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 23KB - Virtual size: 24KB

.pdata
Size: 10KB - Virtual size: 9KB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 93KB - Virtual size: 93KB

.itext
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 40KB - Virtual size: 43KB

.pdata
Size: 10KB - Virtual size: 9KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 93KB - Virtual size: 93KB

.itext
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 40KB - Virtual size: 43KB

.pdata
Size: 10KB - Virtual size: 9KB

.text
Size: 95KB - Virtual size: 95KB

.itext
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 40KB - Virtual size: 43KB

.pdata
Size: 10KB - Virtual size: 9KB

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 439KB - Virtual size: 438KB

.text
Size: 26KB - Virtual size: 25KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 2KB