General

  • Target

    Builds.7z

  • Size

    1.8MB

  • Sample

    241219-2a2s3sskck

  • MD5

    484933f81970182e04f190efe2527da1

  • SHA1

    72f0810a0ab7f1398ba9f0b0916ee97115e79cc4

  • SHA256

    3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

  • SHA512

    d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a

  • SSDEEP

    49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB

Malware Config

Targets

    • Target

      Builds.7z

    • Size

      1.8MB

    • MD5

      484933f81970182e04f190efe2527da1

    • SHA1

      72f0810a0ab7f1398ba9f0b0916ee97115e79cc4

    • SHA256

      3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

    • SHA512

      d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a

    • SSDEEP

      49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB

    Score
    1/10
    • Target

      Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip

    • Size

      90KB

    • MD5

      f8601b88d1abfe52654dd0726a930f22

    • SHA1

      cf327abab426f1112be9907fa58dae0989f5642e

    • SHA256

      7818967ae2af71f292edd68b9811129706c160240d89babceb6ebe4ae0ff17d5

    • SHA512

      2073e9697358767305c9c55a92d1335a7a20e0d03d2aea59d778038812100aba375e3d9d0367f2b50f24befa8e6cea559d6d86773902c00e3733f1b12a937f32

    • SSDEEP

      1536:5ZaSAisBv/LXkouNev8Ge9bwwzl/njrq8Du2nFSHMx6eXAjZc/RDeJ6E5:56Bb0LNlGAbBNjO8DuWSHMxnXAQM6y

    Score
    1/10
    • Target

      Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip

    • Size

      980KB

    • MD5

      5e299a2c0bab93ec974ad9ba8b9b72b5

    • SHA1

      74241018f5e7fda31c0124f2c640b5a8742d25b2

    • SHA256

      1336f6c265b29ef4c4c554cadd445dc095816e8b64a584f637dbc319c848346d

    • SHA512

      c91b89e1c86411b018aba7a278db48a7a5c352d609764c3414b3f6322fb7aa00d2cdf520a5f67fa94ffbd39d8de97a3cf229c49f032358a7e3c4fa0f18d91160

    • SSDEEP

      24576:dH5RCutvjMFvwmg7/EUlsJm4vsTYXug+bk13GdSa:dH5RCuFOvwdDFlsJmUCYegYk13Gdr

    Score
    1/10
    • Target

      LBB_PS1.ps1

    • Size

      466KB

    • MD5

      17a7cd1ead2d35ed5d69c71d4fd7386d

    • SHA1

      734400d4444b88fe3848c80e3dba2ad9a5155c56

    • SHA256

      20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9

    • SHA512

      7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA

    • Renames multiple (146) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_PS1_obfuscated.ps1

    • Size

      274B

    • MD5

      a8e97fe5a7115e42759d67f7e4d88b0d

    • SHA1

      7a4dce9165f34ca44e79b06f3a07281f6cf08823

    • SHA256

      d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387

    • SHA512

      77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b

    Score
    3/10
    • Target

      LBB_PS1_pass.ps1

    • Size

      590KB

    • MD5

      d96d2bcf13d55740f3bb64d45d2db94d

    • SHA1

      4ded4b1d4866a4adf534f5a4eb66386465fe3120

    • SHA256

      82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908

    • SHA512

      cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd

    • SSDEEP

      1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_ReflectiveDll_DllMain.dll

    • Size

      113KB

    • MD5

      ab5bdca69285d4838af12117c910bfde

    • SHA1

      208060cf988f1702124504bae0c6a4addbeb6db3

    • SHA256

      5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd

    • SHA512

      33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547

    • SSDEEP

      3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA

    • Renames multiple (196) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      LBB_Rundll32.dll

    • Size

      158KB

    • MD5

      0682f7cfceb51d4a6a213b9fe4159ad2

    • SHA1

      777833fdaf0c1e5d03dde300dba3947a9b65c656

    • SHA256

      00aa54bfab3963a2c006058e48cde42e299811f9b85acbc69406c5bfb331f789

    • SHA512

      72d79387ca0d9579d7a7bb7c6c729048bd1321fd07653cb7cbc9bedcc217fd18414b02b46f83843b3f90d0841fc61f24f0ef19700326d8a8aaf6366a00bc5113

    • SSDEEP

      3072:thKVNA/3U+Z15B5RPu+zYNkQA1Izqa26odDWtiSCC8lvdLW:thoyUyX5RPu+zY6+Wa26iDWsSCC8lvI

    Score
    3/10
    • Target

      LBB_Rundll32_pass.dll

    • Size

      154KB

    • MD5

      b51e42d419218e70b0ae216c3ac57784

    • SHA1

      f3023c627d1dce8d5ff4e6733af420df350fdda7

    • SHA256

      a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e

    • SHA512

      96fa388526984f3976ddb5f5376af88200e3d85bc41754556f9b00be32c81332d52aeb5b1e0387ce83be220f34199a88379aa9c90f679eb17ac10f9cf8714f37

    • SSDEEP

      3072:sUM/b6nriEhhyj26gWNOm18JcdwgqYUkSvVDjogUliww56T9tEtc:sUsmr7yX3Um18JcdwgqYUkCRjorqGTP

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      LBB_pass.exe

    • Size

      156KB

    • MD5

      0e38243dcb91851f0646140a16d6832d

    • SHA1

      d5a11399206c54ef1bd11945a5f6a0d721c4a6c9

    • SHA256

      635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c

    • SHA512

      8198cf16b815c697e94b8b19b7555191189d6eba2e0bc2b5690277244dcf7da74907d95d8a10bb9bf43a23ae94e5fb57d062c00f947fe8558c9ef633bb066b0e

    • SSDEEP

      3072:iMvRBMY5u+t3YSs1C439/FgfDcTDnHNszfp0QoHkIgep3i8Skb4wE4Ab:ikBS+5YSsdLTH6zfQEupRUb

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      Password_dll.txt

    • Size

      1KB

    • MD5

      90d07bc0f8a025f2ca071ceda59dc9e0

    • SHA1

      28da80a9333fe780414e7e0368998a2408d477e4

    • SHA256

      def3ca6cba392323badcce705c2a84db290b6202c993ca72f212e135339c3f52

    • SHA512

      778ea930fc0e00d8fd5b4549034dc9ed0abee67435a057962ed69524aa715a956a7620dcdaf0e3e0a32467214fb411548fe44ccd17ada9ae1eafae79ac71b89d

    Score
    1/10
    • Target

      Password_exe.txt

    • Size

      2KB

    • MD5

      903c40280e90374e014fc11eb95d519c

    • SHA1

      234d6419aa259977594982cac94f695999b0e66a

    • SHA256

      c209135916377b1cabde1fe0f772078dd28eb255217ee8051759867ce2571bd8

    • SHA512

      377a5943198d2fdc3a7015a2d87338fc2ba3cabdf4f69ce2a13617894cd3ed19d6205e3bea97ac63279f5742dcce5a52e0feedcedcfd07e12a170336dd49407f

    Score
    1/10
    • Target

      Password_ps1.txt

    • Size

      1KB

    • MD5

      e931c9344b1923f85b1290db7c3d63ff

    • SHA1

      bc88433836de3dbc030370a382811fedc8f555c2

    • SHA256

      fc44ae36e72db6c552ddbd7c4018fec472040c14d8026ecc265e934f198d6a3d

    • SHA512

      b9be027a71f848c46326afe127ed6b1bab7585c41b6c338193cc8ddbe3b8ef77a899896dd8b6c27fc4e33cb460181daf76fb411903100e26d290b23984936125

    Score
    1/10
    • Target

      Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip

    • Size

      104KB

    • MD5

      be56768da1843725c5e270aea1faabc0

    • SHA1

      63573f687f70711a4a7f91c308e7edea95d8d767

    • SHA256

      b988dfd6339f208ff78a417e52e46c33f6c829529c84acb32f9a992816c12a41

    • SHA512

      a4b5d01245e1b17545ba4540f5239cf3ee412115116721e30f190234c8e38cca734dca89c17272e2ff1548a2f357e3be52c2e8713432a5e2a448539e04fd16bb

    • SSDEEP

      3072:kV08Ti7c5bOIT1heswd4hJKFwkWq1XODuH1SmOA:kV5Ti73ITdY4hJKqkdODoAA

    Score
    1/10
    • Target

      FC8E43EC21BE9047/lbg32.exe

    • Size

      60KB

    • MD5

      c5cc3c5cef6b382568a54f579b2965ff

    • SHA1

      e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b

    • SHA256

      48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5

    • SHA512

      74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb

    • SSDEEP

      1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      FC8E43EC21BE9047/lbg64.exe

    • Size

      49KB

    • MD5

      8ff61e4156c10b085e0c2233f24e8501

    • SHA1

      69d50a8efd73c619aa36113ec04368db83d9b331

    • SHA256

      3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a

    • SHA512

      dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249

    • SSDEEP

      768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks

static1

lockbit
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discoveryexecution
Score
5/10

behavioral8

defense_evasiondiscoveryexecutionransomware
Score
9/10

behavioral9

execution
Score
3/10

behavioral10

execution
Score
3/10

behavioral11

lockbitdiscoveryexecutionransomware
Score
10/10

behavioral12

lockbitdiscoveryexecutionransomware
Score
10/10

behavioral13

defense_evasiondiscoveryransomware
Score
9/10

behavioral14

defense_evasiondiscovery
Score
7/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

lockbitdiscoveryransomware
Score
10/10

behavioral18

lockbitdiscoveryransomware
Score
10/10

behavioral19

lockbitdiscoveryransomware
Score
10/10

behavioral20

lockbitdiscoveryransomware
Score
10/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

discoveryspywarestealer
Score
7/10

behavioral30

credential_accessdiscoverystealer
Score
7/10

behavioral31

credential_accessdiscoveryspywarestealer
Score
7/10

behavioral32

credential_accessdiscoveryspywarestealer
Score
7/10