- First seen: September 2019
- Aliases: ABCD
- Samples:
- f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10 | windows | ransom | pe
- 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af | windows | ransom | pe
- 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 166400 bytes |
| CRC32 | 0xba9cd332 |
| MD5 | 7fb11398c5be61445bee1efa7c9caa31 |
| SHA1 | ced1c9fabfe7e187dd809e77c9ca28ea2e165fa8 |
| SHA256 | f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10 |
| SHA512 | c3b51534aa4172576ba4775f2859a3e7b0423405d7676c87c9220101ecd859fbb4c8ed74aa0b4989af9c272616c9616e1ac54ffa56cebe846dbc09406bbe0525 |
| Ssdeep | 3072:hM38OugiM3koBZl6kpfxrgNYddVPkW8XeoSseFciJta6IR/o6BTREgDfBcKL8xDl:hjOugiM3koBDxrGyPktV1eRSZ17DfyKa |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: linker: Microsoft Linker(14.12)[EXE32] |
| TrID | 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13) |
- Avast: Win32:Evo-gen [Trj]
- Avira: TR/Crypt.ZPACK.Gen
- Bitdefender: Gen:Variant.Ransom.Lockbit3.10
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.35621
- Eset: Win32/Filecoder.Lockbit.H
- Fsecure: Trojan.TR/Crypt.ZPACK.Gen
- Kaspersky: Trojan-Ransom.Win32.Lockbit.ay
+ Mcafee: clean
- Sophos: Mal/FakeAV-JC
- Symantec: Trojan.Gen.MBT
- Trendmicro: Ransom.Win32.LOCKBIT.SMYXCGD
- Windefender: Trojan:Win32/Lockbit.RPA!MTB| Property | Value |
|---|---|
| Size | 982528 bytes |
| CRC32 | 0x3f6d2c67 |
| MD5 | 63dcf75ad743b292e4a6cd067ffc2c18 |
| SHA1 | 0d68ea228f49fdd8d044a2fb0dae9174eba73d7a |
| SHA256 | 9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af |
| SHA512 | c982f183caf5859c3d8d8b2c7831e3e6a9d074b651f27ed89fdf486db577d1d4a3af901a8b17ad667ef85a4c900c99766388ff99c564a7443479b8831eb5f43e |
| Ssdeep | 24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdPF:Ujrc2So1Ff+B3k7965 |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32] |
| TrID | 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3) |
- Avast: Win32:LockBit-A [Ransom]
- Avira: TR/Crypt.XPACK.Gen
- Bitdefender: Trojan.GenericKD.39823092
- Clamav: Win.Trojan.Obfus-43
- Comodo: Malware
- Drweb: Trojan.Encoder.34248
- Eset: Win32/Filecoder.Lockbit.E
- Fsecure: Trojan.TR/Crypt.XPACK.Gen
- Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
+ Mcafee: clean
- Sophos: Troj/Lockbit-D
- Symantec: Downloader
- Trendmicro: Ransom.Win32.LOCKBIT.SMYEBGW
- Windefender: Ransom:Win32/Lockbit.STA| Property | Value |
|---|---|
| Size | 143872 bytes |
| CRC32 | 0x277e4610 |
| MD5 | 265d02e0a563bbdbdb2883add41ff4bb |
| SHA1 | 01890a3874787dcd74fc548d724b32ed9562abe4 |
| SHA256 | 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 |
| SHA512 | e07535300bc1f8f1b209ce0ee39c3b6e428fc4035cb502b8729aad84c67f9da670ee6417585d9dce41ce03876cadabc1d43800dc5491718fa330e1f73605e7bd |
| Ssdeep | 3072:iV8E2JPpYg/GGo2l+mL3iUfqMqqD/KqEA8KB8:pE2pHNo2wW3r5qqD/2u |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32] |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
+ Avast: clean
- Avira: TR/FileCoder.xywwf
- Bitdefender: Trojan.AgentWDCR.YFY
- Clamav: Win.Ransomware.LockBitCombined-9375766-1
- Comodo: Malware
- Drweb: Trojan.Encoder.30392
- Eset: Win32/Filecoder.Lockbit.B
- Fsecure: Trojan.TR/FileCoder.xywwf
- Kaspersky: Trojan.Win32.DelShad.bvn
+ Mcafee: clean
- Sophos: Troj/Ransom-FXW
- Symantec: Downloader
- Trendmicro: Ransom.Win32.LOCKBIT.SMDS
- Windefender: Ransom:Win32/LockBit.A!MTB- https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511
- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
- https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/
- https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
- https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf
- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/
- https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/
- https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
- https://www.lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf
- https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
- https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/
- https://www.trendmicro.com/en_au/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/