MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LockBit


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4
SHA3-384 hash: 0e759816a810878e5d041d44c65207d62a0493ebd2d89d1b781fa881049592bcee1241ffb0dad6205e5f53c4d74050bb
SHA1 hash: efb367a61cb29e63a7269765c6071005a643a55d
MD5 hash: 7f0312a1f928c3aeab672ca8d5afc6a9
humanhash: one-friend-cold-avocado
File name:l1.exe
Download: download sample
Signature LockBit
Create hunting rule
File size:178'176 bytes
First seen:2020-11-29 05:30:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1e8ad6c0cbbde189993b1a80fe92a77 (1 x LockBit)
ssdeep 3072:+yvWCxfzdNRvpEAdS3rDkALwlYu8+IFMyXJVlRGa5JJ5SU:NvWCxfz0gS7oczu8+IdXJVvbSU
Threatray 609 similar samples on MalwareBazaar
TLSH BB04CF2179A0C032D0973C3908E5C7A66B7AFC729B7596CB77842B2D9F712D0563AB07
Reporter vm001cn
Tags:lockbit

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Lockbit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/105961/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a file
Creating a file in the Program Files subdirectories
Modifying an executable file
Moving a file to the Program Files subdirectory
Running batch commands
Creating a process with a hidden window
Connection attempt
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Forced shutdown of a browser
Encrypting user's files
Result
Threat name:
LockBit ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550410
Signature
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to hide a thread from the debugger
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Spreads via windows shares (copies files to share folders)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected LockBit ransomware
Yara detected Ransomware_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324319 Sample: l1.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Sigma detected: WannaCry Ransomware 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 9 other signatures 2->65 7 l1.exe 7 261 2->7         started        12 l1.exe 2->12         started        14 l1.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 53 192.168.2.100 unknown unknown 7->53 55 192.168.2.101 unknown unknown 7->55 57 98 other IPs or domains 7->57 45 C:\Users\user\...\Restore-My-Files.txt, ASCII 7->45 dropped 47 C:\Users\user\...\Restore-My-Files.txt, ASCII 7->47 dropped 49 C:\Users\user\...\Restore-My-Files.txt, ASCII 7->49 dropped 51 128 other malicious files 7->51 dropped 75 Detected unpacking (changes PE section rights) 7->75 77 Detected unpacking (overwrites its own PE header) 7->77 79 Deletes shadow drive data (may be related to ransomware) 7->79 93 4 other signatures 7->93 18 cmd.exe 1 7->18         started        21 conhost.exe 7->21         started        81 Spreads via windows shares (copies files to share folders) 12->81 83 Uses bcdedit to modify the Windows boot settings 12->83 85 Hides threads from debuggers 12->85 23 cmd.exe 12->23         started        25 conhost.exe 12->25         started        87 Connects to many different private IPs via SMB (likely to spread or exploit) 14->87 89 Connects to many different private IPs (likely to spread or exploit) 14->89 27 conhost.exe 14->27         started        91 Creates files inside the volume driver (system volume information) 16->91 file5 signatures6 process7 signatures8 67 May disable shadow drive data (uses vssadmin) 18->67 69 Deletes shadow drive data (may be related to ransomware) 18->69 71 Uses bcdedit to modify the Windows boot settings 18->71 29 bcdedit.exe 1 18->29         started        31 bcdedit.exe 1 18->31         started        33 WMIC.exe 1 18->33         started        41 3 other processes 18->41 73 Deletes the backup plan of Windows 23->73 35 conhost.exe 23->35         started        37 vssadmin.exe 23->37         started        39 WMIC.exe 23->39         started        43 3 other processes 23->43 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4/
Threat name:
Win32.Trojan.MintDreidel
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 21:08:05 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
LockBit
2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
LockBit
44deff9f627fb57a5150b5ae96961a525958106fc8d13d7edbaf0f074dc3b8c0
LockBit
4b96ce7166869bec970ea01423baf8a06643c749030a148f6aacf101f20fcf35
LockBit
5e893a569533f7464e35b23fd00eefce1fc9af2512d918b73a493ec99b5e31c8
LockBit
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
LockBit
8ab5753e0dd8b4a54a0cc842bb2b53c97ed33d90bcc445ce4de58d1df9dc9060
LockBit
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
LockBit
ba1a50bf2a246672a5cc91a2d11732146a8c446594ad5672fa64da643c188acc
LockBit
ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62
LockBit
+ 599 additional samples on MalwareBazaar
Result
Malware family:
lockbit
Create hunting rule
Score:
  10/10
Tags:
family:lockbit evasion persistence ransomware
Link:
https://tria.ge/reports/201129-ap4912vame/
Behaviour
Interacts with shadow copies
Modifies Control Panel
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies registry class
Drops file in Program Files directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Deletes itself
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Lockbit
Unpacked files
SH256 hash:
f167fc4f5c4def9ec6e46cea3a8837492da1b9a381f97f0b19bd494b1c2a46a0
MD5 hash:
f420a208e6ae0ea850d7d244438bfcb8
SHA1 hash:
8096d84a923d9506526d4adee6eb9d5086e8fc8a
Link:
https://www.unpac.me/results/ad09866e-9455-478e-b8d9-aae0735b9c07/
SH256 hash:
43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4
MD5 hash:
7f0312a1f928c3aeab672ca8d5afc6a9
SHA1 hash:
efb367a61cb29e63a7269765c6071005a643a55d
Link:
https://www.unpac.me/results/ad09866e-9455-478e-b8d9-aae0735b9c07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_lockbit_1
Create hunting rule
Author:@VK_Intel
Description:Detects LockBit ransomware
Reference:twitter
Rule name:Lockbit
Create hunting rule
Author:kevoreilly
Description:Lockbit Payload
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105961/

Comments