MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LockBit


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62
SHA3-384 hash: 7ff48d73df803077c70e7fda598428a8333a8ef3ed8bbc7da74beb6abce4c267bc3f1e19615c5de4fefb6acb5edb6ade
SHA1 hash: 7d10bf42d901224bce67249b590c0dfc4f350653
MD5 hash: e806d1194873fcfa4e31726710b75405
humanhash: maryland-white-orange-coffee
File name:l.exe
Download: download sample
Signature LockBit
Create hunting rule
File size:154'624 bytes
First seen:2020-11-29 05:30:18 UTC
Last seen:2023-03-06 19:55:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dccb8a01baae610555b6c2865db232bb (1 x LockBit)
ssdeep 3072:655tEdAOKlggqO3G0jPonfYnoFMIkcXo0fSUa:/W26QfweMILXoXU
Threatray 634 similar samples on MalwareBazaar
TLSH 23E30217D3582D04E0653E7D36AA9BFA7122FDD3AC1963C8678ABE13DDB1A800651F07
Reporter vm001cn
Tags:lockbit

Intelligence

File Origin
# of uploads :
2
# of downloads :
2'042
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Lockbit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/105960/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Changing a file
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying an executable file
Connection attempt
Creating a window
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Forced shutdown of a browser
Encrypting user's files
Result
Threat name:
LockBit ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550411
Signature
Allocates memory in foreign processes
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Spreads via windows shares (copies files to share folders)
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Yara detected LockBit ransomware
Yara detected Ransomware_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324320 Sample: l.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Sigma detected: WannaCry Ransomware 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 9 other signatures 2->65 7 l.exe 7 257 2->7         started        12 l.exe 80 2->12         started        14 l.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 53 192.168.2.100 unknown unknown 7->53 55 192.168.2.101 unknown unknown 7->55 57 98 other IPs or domains 7->57 45 C:\Users\user\...\spartan.edb, data 7->45 dropped 47 C:\Users\user\...\edb00002.log, data 7->47 dropped 49 C:\Users\user\...\edb00001.log, data 7->49 dropped 51 169 other files (168 malicious) 7->51 dropped 77 Deletes shadow drive data (may be related to ransomware) 7->77 79 Writes a notice file (html or txt) to demand a ransom 7->79 81 Spreads via windows shares (copies files to share folders) 7->81 95 3 other signatures 7->95 18 cmd.exe 1 7->18         started        21 conhost.exe 7->21         started        83 Uses bcdedit to modify the Windows boot settings 12->83 85 Writes to foreign memory regions 12->85 87 Allocates memory in foreign processes 12->87 23 cmd.exe 12->23         started        25 conhost.exe 12->25         started        89 Connects to many different private IPs via SMB (likely to spread or exploit) 14->89 91 Connects to many different private IPs (likely to spread or exploit) 14->91 27 conhost.exe 14->27         started        93 Creates files inside the volume driver (system volume information) 16->93 file5 signatures6 process7 signatures8 67 May disable shadow drive data (uses vssadmin) 18->67 69 Deletes shadow drive data (may be related to ransomware) 18->69 71 Uses bcdedit to modify the Windows boot settings 18->71 29 WMIC.exe 1 18->29         started        31 wbadmin.exe 3 18->31         started        33 vssadmin.exe 1 18->33         started        41 3 other processes 18->41 73 Writes to foreign memory regions 23->73 75 Deletes the backup plan of Windows 23->75 35 conhost.exe 23->35         started        37 vssadmin.exe 23->37         started        39 WMIC.exe 23->39         started        43 3 other processes 23->43 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62/
Threat name:
Win32.Trojan.MintDreidel
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 20:40:25 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3dfaa4d8dc11dd8edc5d8cfc2f0ab0da6f52cc355a695548ca79dfac9bf2946b
LockBit
44deff9f627fb57a5150b5ae96961a525958106fc8d13d7edbaf0f074dc3b8c0
LockBit
4b96ce7166869bec970ea01423baf8a06643c749030a148f6aacf101f20fcf35
LockBit
5e893a569533f7464e35b23fd00eefce1fc9af2512d918b73a493ec99b5e31c8
LockBit
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
LockBit
8ab5753e0dd8b4a54a0cc842bb2b53c97ed33d90bcc445ce4de58d1df9dc9060
LockBit
939b640dab052ec6a08e17075397aa34abb4d4943768628a767f93d9f7d973f8
LockBit
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
LockBit
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
LockBit
ba1a50bf2a246672a5cc91a2d11732146a8c446594ad5672fa64da643c188acc
LockBit
+ 624 additional samples on MalwareBazaar
Result
Malware family:
lockbit
Create hunting rule
Score:
  10/10
Tags:
family:lockbit evasion persistence ransomware upx
Link:
https://tria.ge/reports/201129-dpqra6fxte/
Behaviour
Interacts with shadow copies
Modifies Control Panel
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies registry class
Drops file in Program Files directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Deletes itself
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Lockbit
Unpacked files
SH256 hash:
f167fc4f5c4def9ec6e46cea3a8837492da1b9a381f97f0b19bd494b1c2a46a0
MD5 hash:
f420a208e6ae0ea850d7d244438bfcb8
SHA1 hash:
8096d84a923d9506526d4adee6eb9d5086e8fc8a
Link:
https://www.unpac.me/results/ff3c0c3a-31ed-4599-aa1e-f3778927bfb3/
SH256 hash:
4f5b92850d62efd8de95da349e75f2cd52d3fb403fa473f94282596c703a3c3c
MD5 hash:
1b9dd13a67faccaf55883a37a0202855
SHA1 hash:
8c004f749b58d518f2c1fccd3fef81c43200e804
Link:
https://www.unpac.me/results/ff3c0c3a-31ed-4599-aa1e-f3778927bfb3/
SH256 hash:
ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62
MD5 hash:
e806d1194873fcfa4e31726710b75405
SHA1 hash:
7d10bf42d901224bce67249b590c0dfc4f350653
Link:
https://www.unpac.me/results/ff3c0c3a-31ed-4599-aa1e-f3778927bfb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed37bb51af01647fde0a5b04a401fd278eba50cf2d5d0678f86227d27aecbc62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_lockbit_1
Create hunting rule
Author:@VK_Intel
Description:Detects LockBit ransomware
Reference:twitter
Rule name:Lockbit
Create hunting rule
Author:kevoreilly
Description:Lockbit Payload
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105960/

Comments