General

  • Target

    LB3.exe

  • Size

    146KB

  • Sample

    240915-h68rqasanb

  • MD5

    a5f2eeb4c5cbb2c2ff3b103e304c4a37

  • SHA1

    604025da6efc564ae2b3b92c33eb3a2995ca81a4

  • SHA256

    105912c9995a1d718c5442349d2cc4bb99426f75ff34554cdfd9a7272eeca398

  • SHA512

    96e766e4f3aefacada98a5336320db9d26c5d7d5d150125183e5415786b57d46b3383880910cfbdcd0928960d4abcaeba19c0854b0fb4a863391f0b13617bf4e

  • SSDEEP

    1536:NzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDrZ5bKzpnSPyZxedH4UnFgDXv0R:eqJogYkcSNm9V7DmSPNHnFsvCT

Malware Config

Extracted

Path

C:\RCl10Ol9q.README.txt

Ransom Note
~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: WERTYFG34A48MK4D6D525F3F372263313 + ID Number.README.txt >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Targets

    • Target

      LB3.exe

    • Size

      146KB

    • MD5

      a5f2eeb4c5cbb2c2ff3b103e304c4a37

    • SHA1

      604025da6efc564ae2b3b92c33eb3a2995ca81a4

    • SHA256

      105912c9995a1d718c5442349d2cc4bb99426f75ff34554cdfd9a7272eeca398

    • SHA512

      96e766e4f3aefacada98a5336320db9d26c5d7d5d150125183e5415786b57d46b3383880910cfbdcd0928960d4abcaeba19c0854b0fb4a863391f0b13617bf4e

    • SSDEEP

      1536:NzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDrZ5bKzpnSPyZxedH4UnFgDXv0R:eqJogYkcSNm9V7DmSPNHnFsvCT

    • Renames multiple (8913) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks