Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7General
-
Target
Builds.7z
-
Size
1.8MB
-
Sample
241221-ryt32a1mhx
-
MD5
484933f81970182e04f190efe2527da1
-
SHA1
72f0810a0ab7f1398ba9f0b0916ee97115e79cc4
-
SHA256
3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6
-
SHA512
d9d5d96e13201de976d23783e077bb1f95af3946a44bd1347d637893e471eefed5d9b0de4a7d84d8d2040decf8cea4e3de83555b2424e58ebbc1c7eb4881e37a
-
SSDEEP
49152:bor7D7eZFTWD/gjKZ4FhydMzOoSGSW7TeXY:UfeZFT48HSCilTWB
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
329D6F9DDBF138D4/locker_ESXI_I386
-
Size
108KB
-
MD5
a720e32658193a7f76be72363fbc919d
-
SHA1
9b319e460a7000efd92e91a6f1072c4ee211dcda
-
SHA256
ab8c2aca725df02bfdbfa0f493575e0dacd4467b2d0cd90c9a6acb66cb14d590
-
SHA512
5f98f776e82c335f3a16deed12d654e7edb42236511c6eb0484fa0957ee7aa839ac85974864183e0be53333a558856ef39a1181839490b9f111a192dc71c2ff7
-
SSDEEP
3072:5twJNAs5z2NS/P8BRlzWy5BGOiXj0hvYlx1DtqR5YeC:LwJpagWI9OiXQYlx1DtqAe
Score1/10 -
-
-
Target
329D6F9DDBF138D4/locker_ESXI_X64
-
Size
93KB
-
MD5
b76b092f5188ccc8a046ffb4659c3641
-
SHA1
82e19d8b7bc5379528feb9c3a335d70d79358229
-
SHA256
dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
-
SHA512
bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
-
SSDEEP
1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya
-
Traces remote process
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads network interface configuration
Fetches information about one or more active network interfaces.
-
-
-
Target
LBB.exe
-
Size
160KB
-
MD5
d1986caa455ffa11b46341e837777e52
-
SHA1
c045c2be676ebba04d7403f3636c7adb685a4011
-
SHA256
e2bda5afc3e70460223a98cd3520e4ab97fd126a48b9fe7d385e1e9730a11407
-
SHA512
ea87e4f31a45a4e54c56dc120ce26c369a02af952d0c20411677c4cba4eb442a43b776d094150458a0b72dc65b53ca29fc300739cc56f81c6f7fee5e15043359
-
SSDEEP
3072:gDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Pu7YlTx6gIB8FrN75DyW:K5d/zugZqll3AYrG+
Score9/10-
Renames multiple (194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_PS1.ps1
-
Size
466KB
-
MD5
17a7cd1ead2d35ed5d69c71d4fd7386d
-
SHA1
734400d4444b88fe3848c80e3dba2ad9a5155c56
-
SHA256
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
-
SHA512
7d5cd9b042229d1076a587b75594a002d379396d6ec889a8aee457a6a5a399130ae0a43fe0863adae23e32e46a7d17d4b55bfc2564cb17e579751161f6778828
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJI:VA
Score9/10-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_PS1_obfuscated.ps1
-
Size
274B
-
MD5
a8e97fe5a7115e42759d67f7e4d88b0d
-
SHA1
7a4dce9165f34ca44e79b06f3a07281f6cf08823
-
SHA256
d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387
-
SHA512
77126af7f207d4ab854e3293936c73591289ca97211823513941bdae60b9da48fc3b829e2819ef1230f86cb8761eab37f6dca61281b2dfc7209ce471af68422b
Score3/10 -
-
-
Target
LBB_PS1_pass.ps1
-
Size
590KB
-
MD5
d96d2bcf13d55740f3bb64d45d2db94d
-
SHA1
4ded4b1d4866a4adf534f5a4eb66386465fe3120
-
SHA256
82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908
-
SHA512
cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd
-
SSDEEP
1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
LBB_ReflectiveDll_DllMain.dll
-
Size
113KB
-
MD5
ab5bdca69285d4838af12117c910bfde
-
SHA1
208060cf988f1702124504bae0c6a4addbeb6db3
-
SHA256
5594fea724aa3a124b259e81999f20affecb2238f7e517c56c450a3a311ab2bd
-
SHA512
33c8cb31dd142defcf52ddadaa540d86d8fdd586ad3f0f280d90c66279cf09229edde08efb9daac81383f65ba171b86344c4e5c6343b02270bfa92201e08f547
-
SSDEEP
3072:+/fNzovq5EKHttru48dBVFktgraAyHXU:+/Gvq5EKH6zdrFPraA
Score9/10-
Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
LBB_Rundll32.dll
-
Size
158KB
-
MD5
0682f7cfceb51d4a6a213b9fe4159ad2
-
SHA1
777833fdaf0c1e5d03dde300dba3947a9b65c656
-
SHA256
00aa54bfab3963a2c006058e48cde42e299811f9b85acbc69406c5bfb331f789
-
SHA512
72d79387ca0d9579d7a7bb7c6c729048bd1321fd07653cb7cbc9bedcc217fd18414b02b46f83843b3f90d0841fc61f24f0ef19700326d8a8aaf6366a00bc5113
-
SSDEEP
3072:thKVNA/3U+Z15B5RPu+zYNkQA1Izqa26odDWtiSCC8lvdLW:thoyUyX5RPu+zY6+Wa26iDWsSCC8lvI
Score3/10 -
-
-
Target
LBB_Rundll32_pass.dll
-
Size
154KB
-
MD5
b51e42d419218e70b0ae216c3ac57784
-
SHA1
f3023c627d1dce8d5ff4e6733af420df350fdda7
-
SHA256
a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e
-
SHA512
96fa388526984f3976ddb5f5376af88200e3d85bc41754556f9b00be32c81332d52aeb5b1e0387ce83be220f34199a88379aa9c90f679eb17ac10f9cf8714f37
-
SSDEEP
3072:sUM/b6nriEhhyj26gWNOm18JcdwgqYUkSvVDjogUliww56T9tEtc:sUsmr7yX3Um18JcdwgqYUkCRjorqGTP
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
LBB_pass.exe
-
Size
156KB
-
MD5
0e38243dcb91851f0646140a16d6832d
-
SHA1
d5a11399206c54ef1bd11945a5f6a0d721c4a6c9
-
SHA256
635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c
-
SHA512
8198cf16b815c697e94b8b19b7555191189d6eba2e0bc2b5690277244dcf7da74907d95d8a10bb9bf43a23ae94e5fb57d062c00f947fe8558c9ef633bb066b0e
-
SSDEEP
3072:iMvRBMY5u+t3YSs1C439/FgfDcTDnHNszfp0QoHkIgep3i8Skb4wE4Ab:ikBS+5YSsdLTH6zfQEupRUb
Score10/10-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
-
-
Target
FC8E43EC21BE9047/lbg32.exe
-
Size
60KB
-
MD5
c5cc3c5cef6b382568a54f579b2965ff
-
SHA1
e85b5bf2fd1ea0d5d71841f2cc8d46fc2055c22b
-
SHA256
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
-
SHA512
74d93ba3dc7b3fdfafe30663162dad3fee0b278d12fea527eb535b4eb25979dcc365b49cb702ac9c2addbb0ee550310759e88c2657b61a2b0e4906d4099281eb
-
SSDEEP
1536:SAndsqiqdYMRgIaN04k27Gtdf/3U9s1iGbQTqL9:Fds3vIaN04kKGhjmq
Score7/10-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
FC8E43EC21BE9047/lbg64.exe
-
Size
49KB
-
MD5
8ff61e4156c10b085e0c2233f24e8501
-
SHA1
69d50a8efd73c619aa36113ec04368db83d9b331
-
SHA256
3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a
-
SHA512
dbde74b89d498d708215ddfdc9a2a38cb27be931c9fe2d5965aba3c31482a0efbe39913ed17eabe5eae3b5efc9cb369589784e7d9ce5b2e89505c10406038249
-
SSDEEP
768:9pZt6fz03gUYxTSGCoTrxTjA+xqCkEiAOPZAzEZoo6Czcit6OjeB6:jpQRNSGCo64OxAgZUCcicvB6
Score7/10-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Virtualization/Sandbox Evasion
1System Checks
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
2System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
1Virtualization/Sandbox Evasion
1System Checks
1