General

  • Target

    lockbit3.0-main.zip

  • Size

    885KB

  • Sample

    250604-ss8jxabr5v

  • MD5

    1927b9a07035a0812fc9d9513693ced4

  • SHA1

    b5298ab12674ddb9410c10f47e8812911f1e7257

  • SHA256

    58d02c2899d736d066dbe72a2c773f005b8d78858f10772cb55e7f47d2d01916

  • SHA512

    f3ff3deb315fb3f14c71c966b1b8ab3bc836d2958b424ea214194481dfb91c98577b35deb5baffa0cc05a1e262a7a3d1924d3215da6da6823b271ecba399eab5

  • SSDEEP

    12288:mQui73xggZO3j4Km7r8JfJ7yd0TwAWUIiD/DdWojsHgBuwEGZpJRTq8tlV+8qKh6:Si7BZSosJU0MxWD/Dd3IHgEw5ZNlZc

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Path

C:\ZImkTWSLZ.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 21EFEFD3564BFFCF082FDAE3B7B6255A >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Targets

    • Target

      lockbit3.0-main.zip

    • Size

      885KB

    • MD5

      1927b9a07035a0812fc9d9513693ced4

    • SHA1

      b5298ab12674ddb9410c10f47e8812911f1e7257

    • SHA256

      58d02c2899d736d066dbe72a2c773f005b8d78858f10772cb55e7f47d2d01916

    • SHA512

      f3ff3deb315fb3f14c71c966b1b8ab3bc836d2958b424ea214194481dfb91c98577b35deb5baffa0cc05a1e262a7a3d1924d3215da6da6823b271ecba399eab5

    • SSDEEP

      12288:mQui73xggZO3j4Km7r8JfJ7yd0TwAWUIiD/DdWojsHgBuwEGZpJRTq8tlV+8qKh6:Si7BZSosJU0MxWD/Dd3IHgEw5ZNlZc

    Score
    1/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build.bat

    • Size

      733B

    • MD5

      1905cc9973206fea5050b737f9303fb4

    • SHA1

      497524177d9478a4b5dca3e73cc230be6abf4ce0

    • SHA256

      e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb

    • SHA512

      95bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/DECRYPTION_ID.txt

    • Size

      16B

    • MD5

      b1cd07d8c346e344042066aee57ea45b

    • SHA1

      1dd2a84bcf04a59c7d643c0852661e09a983630a

    • SHA256

      47a9e1ce014c3ddeb3c19bbdfbe3671a5944f71313710ba2796e2ac058544322

    • SHA512

      10fdb9478115a137535db230779adb7a1c80a9f78aa8934b1e23a71210a24e986a800371d0b9e1f693d095dc8b646ea77a67d144e172b362d8b27d406c3d0e37

    Score
    1/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3.exe

    • Size

      153KB

    • MD5

      c73eac0c837c3c5caca3a885f46c17d9

    • SHA1

      a0ca9511b40c9c2451986ce179016ec4014e9adb

    • SHA256

      e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe

    • SHA512

      157c92e561cd18876ab60faf8a3d8e62633e7750accb965e86f3202b0d5ff902d3ae51fb41592d9be22672e67a713291e469a09be57e6f77dd6343090324792a

    • SSDEEP

      3072:xqJogYkcSNm9V7D2YRLCm8ZdqVAxrMismEm8T:xq2kc4m9tDlhLqb

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Renames multiple (640) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3Decryptor.exe

    • Size

      54KB

    • MD5

      d1c15784587717fe03448d0c4dc8dd5b

    • SHA1

      f36ac101949a4fa8f604d561957fb9d3e1f73699

    • SHA256

      4973313c1c003a27190fba0a43dda1be78891552c9fabaa0c65e0051965ceee7

    • SHA512

      ef81b11962fb56a583c43ecdf0f8c66ef17850e85e56794b6c4ca328751609e4fe1fb1494e0e7315ff396510c467e440b74b62c105ce226f2fda49379d551a81

    • SSDEEP

      768:llD2N5KCJD5rkdDRib1Xf0854bhC3E9zpKMMYj1MYgFMRx:nAkCJD5rKDRib1F54NLp2Yj1M7MD

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3_ReflectiveDll_DllMain.dll

    • Size

      106KB

    • MD5

      2ecc319574b76994e76c4f971c820362

    • SHA1

      8f3d04cab7c6be2220860ec391d75ba2f8f17b33

    • SHA256

      123797c18b044fb5aeba5dcccaf9ef1df0b7553413e9433876f1f94b8cd0584f

    • SHA512

      39c63668d424ff9efa625a82312edf5a30f7ca3edd896bd6ef1857ced02e5462cf191af54b6e55388b844fa5e50f77e3a6ce5b5983f61eb57a45c4b2fbb3567e

    • SSDEEP

      1536:LzICS4A30TY1kUS/U2ztdS1I6DdL9Ta16CX4VtgYfC3zHZbhuMGCS:0J0TYyUS/U2RgGWL9+joVtHfilfd

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3_Rundll32.dll

    • Size

      152KB

    • MD5

      a451f94bf71b55142e64d65dda361e3d

    • SHA1

      79dbdba2019c0bb2859cf2886ad4ceaadf769311

    • SHA256

      42a708a61e3bb54ac63748ac47bb96ded6e32bbe927a87c8e57094110293c325

    • SHA512

      a5336d7a3345a562214f8081459937f4c9c17882aa614fa514eea6ec7e3afd416e943560a92ecfe88ecc281729c9e6eefe2300d087b1ee510aaef0d3ac343803

    • SSDEEP

      3072:LrPn1hcH98P67PBH2G3gFoh3H6J1vVjgQp3RpM1dpbQrQymzUOMgInmwuzEvigpx:LrP1hG98P67PNV3gih3H6J1VjgQp3Rpb

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3_Rundll32_pass.dll

    • Size

      148KB

    • MD5

      1cf36fecacae95acaed46247090fd4b6

    • SHA1

      4dcf048521b7c8fcba54d20f06be6ea60131bce1

    • SHA256

      6eb4d985a52554d37c0efec1457258e4dfd4619ff0396c66e2f9a02d8381ce57

    • SHA512

      7b6c660245ed236a12e4c7e36e30283b5d2736de2d419da60d4ab584016de24dd40f7c4d407c5a4cee3c1995d136a775f72ed2ca16c911d75a2c9c2f4b57a99c

    • SSDEEP

      3072:TTmYfHnIUoQ3+Cv9y5esf+Ieva3YVxz8jZGhjhjGI:TBvn3+WnSev7VujMzf

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/LB3_pass.exe

    • Size

      149KB

    • MD5

      4f6c3752e20422203d1bd00acb082ba5

    • SHA1

      2d648879014bf464bf3ed640642c9f7665115ad4

    • SHA256

      500eeeb1927f1fb9304a2167d6ea7e318d242da0c68e03f3ec60d704acfa0add

    • SHA512

      310c78b0057ec044ce14eb4242729f958f4de2d3cb8cc8f8052d8b6ead5ff692a870ec027204dffb3fe3951e6c8bc5b59d6a21046c66643e7d14ac3a88c31271

    • SSDEEP

      3072:lX6v7dL14It1Zvcb4n8uqlWpwkC/Va7U6JDN9ZiIyOmYNeZaVi:lIR1NPZO4n8VlWpKp6DliIyO/En

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lockbit family

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/Password_dll.txt

    • Size

      1KB

    • MD5

      cd73e5da7534c1cc75358e77bced80ba

    • SHA1

      684301a030de00bf594f32dbc58e6caed663ecd5

    • SHA256

      dd27eb7a55e7ef44d9d2e0cb92108637c8248d58532c22d59e8057e7da111580

    • SHA512

      fb747890e36a0e9144bb23917118d6b14cd5ea20434d3f241ceb1de8a21c92539d9cac07bac8d17ae69bae754f941f9326203c06e95d86d7cf20a542af0f060e

    Score
    1/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/Password_exe.txt

    • Size

      2KB

    • MD5

      68c7c951ecfca7322e1ecb486f42883e

    • SHA1

      882b636e399f6566b98a20923ad8cfc166bab2c1

    • SHA256

      706453b2bafdb0f723b55100d5034621f8a3b61822aad5a7bf875b6113017c74

    • SHA512

      3135ccc918dbd9ea08432d2b92bf272716b039d3ca9b4b94a32e4774f41cdb148e347fbc89f3d1285a2fe7389585e13790fd226d9adf9eadc69ceeac931cdd65

    Score
    1/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/priv.key

    • Size

      344B

    • MD5

      95dc3cc7a5702f8c2b7504f14a8d465f

    • SHA1

      9a48c88b07ab58cb624bb0f9bc916865f0020f1d

    • SHA256

      f89e7aafae18b96cbf6549ef855d2b8c0e48e694bdce8580f4b45781bd2d5f39

    • SHA512

      e85cb3af3c68cbe65256571aefc481228d3f558723911b35fc63bb4f9f0946f0c179b3df4f0e908d81324d2a7ebbc2b6aaf20bbad9383093b7f8d0db8be8b5c6

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/Build/pub.key

    • Size

      344B

    • MD5

      ba85a0b00c8a2cfeba6d94816855dad7

    • SHA1

      0afdfad7a392faf24c070888104acbfb4643e3a6

    • SHA256

      91ec37166dd39d7d443a47365a3d83b330aeff5ba0cfefc6c5b64abf793dc16f

    • SHA512

      6c3a3404d3dc1dcb321d61cdc8bb0c55adfb3641ec32c9744ded3841b73fe01e29cdb5df6023717cb9af5d793883ae3eb309b893ca3340141f2c359be227df81

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/builder.exe

    • Size

      469KB

    • MD5

      c2bc344f6dde0573ea9acdfb6698bf4c

    • SHA1

      d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

    • SHA256

      a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

    • SHA512

      d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

    • SSDEEP

      12288:CzVXpdg/1MB94JD7RfaVT1hG98P67PNV3giFH6J1VjR3L6dpbQrQyEpInmwuRUfB:CzxjgdRpBq1hG98P67PNV3giFH6J1Vjn

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/config.json

    • Size

      8KB

    • MD5

      72c54c48912dc21aca3d9b8e90b571ba

    • SHA1

      0fa98b807a14372826c712e3e8134edb70f0b985

    • SHA256

      c3b96515e828071d9bea5ce96e920c8c6a0ec80814dd969c4769afdb0f6012c4

    • SHA512

      e9e23fb55253172e01c7712c3766b70021af074d954eaf3409d729bf809d427651d6a44c4977e4554a2475b50e66f3b491b5baba33e4720b608f19c19bb17301

    • SSDEEP

      192:sm26pOWU6ig4HJmLDHqlexR4qjIuoIyig4H8mLDHU:sba5U6ApmZrIoyAcm0

    Score
    3/10
    • Target

      lockbit3.0-main/lockbit3.0-main/LockBit30/keygen.exe

    • Size

      31KB

    • MD5

      71c3b2f765b04d0b7ea0328f6ce0c4e2

    • SHA1

      bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

    • SHA256

      ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

    • SHA512

      1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

    • SSDEEP

      768:A6+T41GjHbdWCWDwDD01riWpJxKpAQJs/3JGIDLQ5:b+U+hHIBpJxixgQ

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks