Overview

overview

10

Static

static

10

LB3.exe

windows7-x64

10

LB3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LB3.exe

  • Size

    147KB

  • Sample

    250106-p3284awrhy

  • MD5

    0b6da3700a1bf266d6d2bbf27fd23165

  • SHA1

    f64c2ebf3892e2d498f23b9a7886f67ebbbb2f28

  • SHA256

    4f1c9befcc873120533559c6915aaafd34497eba94d840db4ed28ceba2ebcd49

  • SHA512

    d39d6c9fa03ea2ed2c5aebf9f8811c1b3f3fca2092a8e25d980e8c0ab624d864d841bca9673c7fa843b44204d4f7fbcf1fcfe4fe3678e66a854ddfbf67240cce

  • SSDEEP

    3072:t6glyuxE4GsUPnliByocWep4dd1fL5B594:t6gDBGpvEByocWeAfFn9

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\MWlosDcWa.README.txt

Ransom Note
~~~ RdpLocker Recode the world's fastest ransomware~~~ >>>> Your data are stolen and encrypted >>>> Info Our encryption is undetectable and we can encrypt terabytes of data in minutes. A unique public and private key is generated exclusively for you. No one else can decrypt the files we have encrypted. Our services are cheap and reliable. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can contact us using Tox messenger without registration and SMS to negotiate the price. https://tox.chat/download.html Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. RdpLocker Tox ID: CE93C52BFAFA16570B9821C7D0EE7999C78475AD964ACEEF80767B653210D27E3CE6C88F61A5
URLs

https://tox.chat/download.html

Targets

    • Target

      LB3.exe

    • Size

      147KB

    • MD5

      0b6da3700a1bf266d6d2bbf27fd23165

    • SHA1

      f64c2ebf3892e2d498f23b9a7886f67ebbbb2f28

    • SHA256

      4f1c9befcc873120533559c6915aaafd34497eba94d840db4ed28ceba2ebcd49

    • SHA512

      d39d6c9fa03ea2ed2c5aebf9f8811c1b3f3fca2092a8e25d980e8c0ab624d864d841bca9673c7fa843b44204d4f7fbcf1fcfe4fe3678e66a854ddfbf67240cce

    • SSDEEP

      3072:t6glyuxE4GsUPnliByocWep4dd1fL5B594:t6gDBGpvEByocWeAfFn9

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks