SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stealbit (Back to overview)

StealBit

aka: Corrempa

This is a stealer used by LockBit 2.0.

References
2021-09-24YoroiLuigi Martire, Luca Mella
@online{martire:20210924:hunting:d29a5e6, author = {Luigi Martire and Luca Mella}, title = {{Hunting the LockBit Gang's Exfiltration Infrastructures}}, date = {2021-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/}, language = {English}, urldate = {2021-09-24} } Hunting the LockBit Gang's Exfiltration Infrastructures
LockBit StealBit
2021-08-12Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20210812:stealbit:08f3307, author = {Frank Boldewin}, title = {{Tweet on StealBit malware as used by LockBit 2.0}}, date = {2021-08-12}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1425875923606310913}, language = {English}, urldate = {2021-08-16} } Tweet on StealBit malware as used by LockBit 2.0
StealBit
Yara Rules
[TLP:WHITE] win_stealbit_auto (20211008 | Detects win.stealbit.)
rule win_stealbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.stealbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 ff762c 8bd0 c7462804000000 8bce e8???????? 59 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   ff762c               | push                dword ptr [esi + 0x2c]
            //   8bd0                 | mov                 edx, eax
            //   c7462804000000       | mov                 dword ptr [esi + 0x28], 4
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_1 = { c1e10a 894e04 b806000080 0fa2 c1e910 c1e10a 894e08 }
            // n = 7, score = 300
            //   c1e10a               | shl                 ecx, 0xa
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   b806000080           | mov                 eax, 0x80000006
            //   0fa2                 | cpuid               
            //   c1e910               | shr                 ecx, 0x10
            //   c1e10a               | shl                 ecx, 0xa
            //   894e08               | mov                 dword ptr [esi + 8], ecx

        $sequence_2 = { 7412 3d9a0000c0 740b 3d2d0100c0 0f858a000000 8d45b0 }
            // n = 6, score = 300
            //   7412                 | je                  0x14
            //   3d9a0000c0           | cmp                 eax, 0xc000009a
            //   740b                 | je                  0xd
            //   3d2d0100c0           | cmp                 eax, 0xc000012d
            //   0f858a000000         | jne                 0x90
            //   8d45b0               | lea                 eax, dword ptr [ebp - 0x50]

        $sequence_3 = { 66898560fcffff 58 6a65 66898564fcffff 58 6a77 66898566fcffff }
            // n = 7, score = 300
            //   66898560fcffff       | mov                 word ptr [ebp - 0x3a0], ax
            //   58                   | pop                 eax
            //   6a65                 | push                0x65
            //   66898564fcffff       | mov                 word ptr [ebp - 0x39c], ax
            //   58                   | pop                 eax
            //   6a77                 | push                0x77
            //   66898566fcffff       | mov                 word ptr [ebp - 0x39a], ax

        $sequence_4 = { 5e 5b c3 80e10f 80c130 80f939 0fb6d1 }
            // n = 7, score = 300
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   80e10f               | and                 cl, 0xf
            //   80c130               | add                 cl, 0x30
            //   80f939               | cmp                 cl, 0x39
            //   0fb6d1               | movzx               edx, cl

        $sequence_5 = { ffd0 8b45fc 83e0bf 0d80000000 50 8b4610 ff7018 }
            // n = 7, score = 300
            //   ffd0                 | call                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83e0bf               | and                 eax, 0xffffffbf
            //   0d80000000           | or                  eax, 0x80
            //   50                   | push                eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   ff7018               | push                dword ptr [eax + 0x18]

        $sequence_6 = { 57 56 e8???????? 83c40c 03f3 837d1802 }
            // n = 6, score = 300
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   03f3                 | add                 esi, ebx
            //   837d1802             | cmp                 dword ptr [ebp + 0x18], 2

        $sequence_7 = { 33db 648b3530000000 8d45fc 50 8b4610 ff7018 e8???????? }
            // n = 7, score = 300
            //   33db                 | xor                 ebx, ebx
            //   648b3530000000       | mov                 esi, dword ptr fs:[0x30]
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   ff7018               | push                dword ptr [eax + 0x18]
            //   e8????????           |                     

        $sequence_8 = { 56 8d4df4 e8???????? 8bc8 e8???????? 3d750c7fa7 740b }
            // n = 7, score = 300
            //   56                   | push                esi
            //   8d4df4               | lea                 ecx, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   3d750c7fa7           | cmp                 eax, 0xa77f0c75
            //   740b                 | je                  0xd

        $sequence_9 = { 8b7dfc f00fc70f 8b7df8 3bc6 8b45fc 75d6 3b55f4 }
            // n = 7, score = 300
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   f00fc70f             | lock cmpxchg8b      qword ptr [edi]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   3bc6                 | cmp                 eax, esi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   75d6                 | jne                 0xffffffd8
            //   3b55f4               | cmp                 edx, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_stealbit_w0   (20210818 | Detects Stealbit used by Lockbit 2.0 Ransomware Gang)
rule win_stealbit_w0 {
	meta:
		description = "Detects Stealbit used by Lockbit 2.0 Ransomware Gang"
		author = "Frank Boldewin (@r3c0nst)"
		reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar"
		date = "2021-08-12"
		hash1 = "3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d"
		hash2 = "bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit"
        malpedia_rule_date = "20210818"
        malpedia_hash = ""
        malpedia_version = "20210818"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$C2Decryption = {33 C9 8B C1 83 E0 0F 8A 80 ?? ?? ?? ?? 30 81 ?? ?? ?? ?? 41 83 F9 7C 72 E9 E8}
		
	condition:
		uint16(0) == 0x5A4D and filesize < 100KB and $C2Decryption
}
Download all Yara Rules