Overview
overview
10Static
static
10Builds.7z
windows7-x64
1Builds.7z
windows10-2004-x64
1Builds/ESX...me.zip
windows7-x64
1Builds/ESX...me.zip
windows10-2004-x64
1Builds/LBB...ad.zip
windows7-x64
1Builds/LBB...ad.zip
windows10-2004-x64
1LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10Password_dll.txt
windows7-x64
1Password_dll.txt
windows10-2004-x64
1Password_exe.txt
windows7-x64
1Password_exe.txt
windows10-2004-x64
1Password_ps1.txt
windows7-x64
1Password_ps1.txt
windows10-2004-x64
1Builds/LBG...ok.zip
windows7-x64
1Builds/LBG...ok.zip
windows10-2004-x64
1FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
58s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 22:23
Behavioral task
behavioral1
Sample
Builds.7z
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Builds.7z
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Builds/ESXi_vx-_____________329D6F9DDBF138D4_19.12.24_i_love_anime.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Builds/LBB_vx-_____________07AAB9B790E0235B_19.12.24_hacking_is_bad.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_PS1_pass.ps1
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
LBB_pass.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Password_dll.txt
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Password_dll.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Password_exe.txt
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Password_exe.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Password_ps1.txt
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Password_ps1.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Builds/LBG_vx-_____________FC8E43EC21BE9047_19.12.24_hacking_is_illegal_ok.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
FC8E43EC21BE9047/lbg64.exe
-
Size
49KB
-
MD5
8ff61e4156c10b085e0c2233f24e8501
-
SHA1
69d50a8efd73c619aa36113ec04368db83d9b331
-
SHA256
3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a
-
SHA512
dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249
-
SSDEEP
768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2528 lbg64.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Restore-My-Files.txt lbg64.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: lbg64.exe File opened (read-only) \??\V: lbg64.exe File opened (read-only) \??\U: lbg64.exe File opened (read-only) \??\L: lbg64.exe File opened (read-only) \??\X: lbg64.exe File opened (read-only) \??\N: lbg64.exe File opened (read-only) \??\M: lbg64.exe File opened (read-only) \??\B: lbg64.exe File opened (read-only) \??\D: lbg64.exe File opened (read-only) \??\O: lbg64.exe File opened (read-only) \??\S: lbg64.exe File opened (read-only) \??\G: lbg64.exe File opened (read-only) \??\H: lbg64.exe File opened (read-only) \??\J: lbg64.exe File opened (read-only) \??\K: lbg64.exe File opened (read-only) \??\F: lbg64.exe File opened (read-only) \??\E: lbg64.exe File opened (read-only) \??\T: lbg64.exe File opened (read-only) \??\Y: lbg64.exe File opened (read-only) \??\I: lbg64.exe File opened (read-only) \??\P: lbg64.exe File opened (read-only) \??\Z: lbg64.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.841394e8ead0 lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties.3795a1657f0d lbg64.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.a69732f6ccbe lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.f4a1569896c0 lbg64.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.2a3d14beb866 lbg64.exe File created C:\Program Files\DVD Maker\ja-JP\Restore-My-Files.txt lbg64.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VC\Restore-My-Files.txt lbg64.exe File created C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\Restore-My-Files.txt lbg64.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\Restore-My-Files.txt lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EAWFINTL.DLL.3e98a5726c3a lbg64.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF.3a3e07aaa872 lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.b3e353215789 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.585308d4deec lbg64.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.de5e834e4416 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF.97fa6e0f1567 lbg64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.1f95899d8755 lbg64.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.2b476fc9d721 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.a1ec4e55436d lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF.6f7d11fdf7a5 lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.22ddfcf6c02e lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.e77f9b757b2d lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.df974bddc315 lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.4ae4adeee886 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105380.WMF.dfa77bfdc335 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.5c94cb504668 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC.f06c9f64925c lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC.535a0ac3d19b lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS.b407b0d8da80 lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.a90aa0c5dfad lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.646601080ad0 lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.88ac273c3ac4 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC.eea64b8e9426 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF.a5e5434b4993 lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.afd17d454fbd lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.4a561f2a2882 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE.2a0c255e5826 lbg64.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Restore-My-Files.txt lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.b9902af5fb8d lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR.ff3ac6f7ed3f lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.5cda85d0c298 lbg64.exe File created C:\Program Files (x86)\Reference Assemblies\Restore-My-Files.txt lbg64.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\Restore-My-Files.txt lbg64.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js.5fecb0f3c5bb lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.211735734d3b lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21325_.GIF.16c0d5faf422 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt.0da1afa3b17b lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.c9c00aa5ab7d lbg64.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\Restore-My-Files.txt lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF.9774e01b1d63 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171685.WMF.4ffdb1ddd785 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\BHOINTL.DLL.9ae67f3a3872 lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.d54a9c494b61 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF.ae55f84274ba lbg64.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.513c6e45539d lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF.8173f113255b lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO.d9d50f5f4517 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF.7e91ec323c4a lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF.463e7b565c8e lbg64.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.303003bcb204 lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css.a14be95345ab lbg64.exe File created C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt lbg64.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Restore-My-Files.txt lbg64.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.e72ace9f85d7 lbg64.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2528 lbg64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2528 lbg64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg64.exe"C:\Users\Admin\AppData\Local\Temp\FC8E43EC21BE9047\lbg64.exe"1⤵
- Deletes itself
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2528
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD574a77bd81fa83b32b595eafa20c978ec
SHA15ce7e2079a61d012d4839a84eb7bb329651a2ead
SHA25649cc31e84e5f3cf75de5d5f58f62ac6c43d9dca726dfc750593129b730a56616
SHA51271accd7c7e1060a696718a4f11a7e04c2f6c16b05dfe4fa12e80878d703a403b7d33861b1315436f881fba37e1a0c3ae2aefc09499f5e7b04b2c582ba0e635e4