MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LockBit

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae
SHA3-384 hash:	98f047718f1e20d443fb3e5f4d3a945a314d60777fd3d1131159bf5b126da2072c44b1106a44dd58d7a5c46d612f578f
SHA1 hash:	844e9b219aaecb26de4994a259f822500fb75ae1
MD5 hash:	af9ff037caca1f316e7d05db86dbd882
humanhash:	may-july-carolina-beer
File name:	VirusShare_af9ff037caca1f316e7d05db86dbd882
Download:	download sample
Signature	LockBit Create hunting rule
File size:	883'200 bytes
First seen:	2023-03-27 03:25:55 UTC
Last seen:	2023-03-27 03:26:01 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:DxAf2NuubB6RWspgjuwu7pl4Ha+UmxJH+Q1F:dAfSrWW4g+7Ht+UmxJeW
Threatray	80 similar samples on MalwareBazaar
TLSH	T16F155D1997028F56CC13207691FD9DB3A8760730937F0CE66BC466DC82E2FE9636A356
TrID	34.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 23.4% (.EXE) Win32 Executable (generic) (4505/5/1) 10.7% (.ICL) Windows Icons Library (generic) (2059/9) 10.5% (.EXE) OS/2 Executable (generic) (2029/13) 10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	petikvx
Tags:	lockbit

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LockBIT_F4B0B5EF9DC08D87.exe

Verdict:

Malicious activity

Analysis date:

2021-08-04 12:05:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e974f8e1-e4b9-4616-9399-ff4133f891ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lockbit

Link:

https://www.capesandbox.com/analysis/377686/

Detection(s):

Win.Ransomware.Lockbit-9886605-0

Win.Ransomware.LockBit-9888870-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Adding an access-denied ACE

Creating a window

Сreating synchronization primitives

Creating a file in the Windows subdirectories

Changing a file

Creating a file

Creating a file in the Program Files subdirectories

Moving a recently created file

Moving a file to the Program Files subdirectory

Searching for synchronization primitives

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75097/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit explorer.exe filecoder lockbit packed razy shell32.dll threat virus

Link:

https://www.filescan.io/uploads/64210cca1770808abe9b6fe7/reports/9af36105-3978-49bb-bd3c-8367c7f53e3b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2bae0617-4aa1-44a3-a3f8-22d9d382e34d

Result

Threat name:

LockBit ransomware

Detection:

malicious

Classification:

rans.spre.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1202374

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious names

Found ransom note / readme

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Spreads via windows shares (copies files to share folders)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes a notice file (html or txt) to demand a ransom

Yara detected LockBit ransomware

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae/

Threat name:

Win32.Ransomware.LockBit

Status:

Malicious

First seen:

2021-07-19 16:10:04 UTC

File Type:

PE (Exe)

AV detection:

34 of 37 (91.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6pujdivdtxmurtmf4hedgwud4zanbgd5xvemcyabuaxww7axgoxa._file

Verdict:

malicious

LockBit

73406e0e7882addf0f810d3bc0e386fd5fd2dd441c895095f4125bb236ae7345

LockBit

9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af

LockBit

acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c

LockBit

bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb

LockBit

bdc2801e747ee4dd2b50b1ecd3fa3eb53b6c8101ec37eff8d18e485a7f4a7bd0

LockBit

dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d

LockBit

e216372e4328f1cf5cf39a73540b508adc8d777fef90ca77af635c2331deb5cc

LockBit

+ 70 additional samples on MalwareBazaar

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit discovery persistence ransomware

Link:

https://tria.ge/reports/230327-dy66psbe29/

Behaviour

Modifies Control Panel

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks computer location settings

Modifies extensions of user files

Creates a large amount of network flows

Lockbit

Unpacked files

SH256 hash:

f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae

MD5 hash:

af9ff037caca1f316e7d05db86dbd882

SHA1 hash:

844e9b219aaecb26de4994a259f822500fb75ae1

Detections:

win_lockbit_auto

Link:

https://www.unpac.me/results/29a35446-ace7-4b9d-a257-09624f1004a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	INDICATOR_SUSPICIOUS_USNDeleteJournal Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware

Rule name:	Lockbit Create hunting rule
Author:	kevoreilly
Description:	Lockbit Payload

Rule name:	Lockbit2_Jul21 Create hunting rule
Author:	CB @ ATR
Description:	simple rule to detect latest Lockbit ransomware Jul 2021

Rule name:	lockbitrule Create hunting rule
Author:	anonymous
Description:	all good scripts include rigorous documentation - literally no one

Rule name:	MAL_EXE_LockBit_v2 Create hunting rule
Author:	Silas Cutler, modified by Florian Roth
Description:	Detection for LockBit version 2.x from 2011

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Ransomware_Lockbit_89e64044 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Ransomware_Lockbit_a1c60939 Create hunting rule
Author:	Elastic Security

Rule name:	win_lockbit_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lockbit.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/377686/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample