SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stealbit (Back to overview)

StealBit

aka: Corrempa

This is a stealer used by LockBit 2.0.

References
2022-06-28AccentureAccenture
@online{accenture:20220628:stealbit:ec9bb0e, author = {Accenture}, title = {{Steal(Bit) or exfil, what does it (Ex)Matter? Comparative Analysis of Custom Exfiltration Tools}}, date = {2022-06-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis}, language = {English}, urldate = {2022-09-26} } Steal(Bit) or exfil, what does it (Ex)Matter? Comparative Analysis of Custom Exfiltration Tools
ExMatter StealBit
2022-05-11KasperskyGReAT
@online{great:20220511:new:a56bc90, author = {GReAT}, title = {{New ransomware trends in 2022}}, date = {2022-05-11}, organization = {Kaspersky}, url = {https://securelist.com/new-ransomware-trends-in-2022/106457/}, language = {English}, urldate = {2022-05-17} } New ransomware trends in 2022
BlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit
2021-12-16CybereasonAleksandar Milenkoski, Kotaro Ogino
@online{milenkoski:20211216:inside:40c2e51, author = {Aleksandar Milenkoski and Kotaro Ogino}, title = {{Inside the LockBit Arsenal - The StealBit Exfiltration Tool}}, date = {2021-12-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool}, language = {English}, urldate = {2022-02-04} } Inside the LockBit Arsenal - The StealBit Exfiltration Tool
LockBit StealBit
2021-09-24YoroiLuigi Martire, Luca Mella
@online{martire:20210924:hunting:d29a5e6, author = {Luigi Martire and Luca Mella}, title = {{Hunting the LockBit Gang's Exfiltration Infrastructures}}, date = {2021-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/}, language = {English}, urldate = {2021-09-24} } Hunting the LockBit Gang's Exfiltration Infrastructures
LockBit StealBit
2021-08-12Twitter (@r3c0nst)Frank Boldewin
@online{boldewin:20210812:stealbit:08f3307, author = {Frank Boldewin}, title = {{Tweet on StealBit malware as used by LockBit 2.0}}, date = {2021-08-12}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1425875923606310913}, language = {English}, urldate = {2021-08-16} } Tweet on StealBit malware as used by LockBit 2.0
StealBit
Yara Rules
[TLP:WHITE] win_stealbit_auto (20230808 | Detects win.stealbit.)
rule win_stealbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.stealbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4e30 e8???????? 8b4e30 e8???????? 83663000 8d562c }
            // n = 6, score = 300
            //   8b4e30               | mov                 ecx, dword ptr [esi + 0x30]
            //   e8????????           |                     
            //   8b4e30               | mov                 ecx, dword ptr [esi + 0x30]
            //   e8????????           |                     
            //   83663000             | and                 dword ptr [esi + 0x30], 0
            //   8d562c               | lea                 edx, [esi + 0x2c]

        $sequence_1 = { 8d8580fbffff 50 e8???????? 8bc8 e8???????? ffd0 8bd8 }
            // n = 7, score = 300
            //   8d8580fbffff         | lea                 eax, [ebp - 0x480]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   8bd8                 | mov                 ebx, eax

        $sequence_2 = { 8bfa 8bd9 e8???????? 8bc8 e8???????? ffd0 8bf0 }
            // n = 7, score = 300
            //   8bfa                 | mov                 edi, edx
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax

        $sequence_3 = { e8???????? 8bc8 e8???????? ffd0 6a02 68bf000000 53 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a02                 | push                2
            //   68bf000000           | push                0xbf
            //   53                   | push                ebx

        $sequence_4 = { c786a802000000000000 8d7e50 33db 8b4620 }
            // n = 4, score = 300
            //   c786a802000000000000     | mov    dword ptr [esi + 0x2a8], 0
            //   8d7e50               | lea                 edi, [esi + 0x50]
            //   33db                 | xor                 ebx, ebx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]

        $sequence_5 = { 6a6f 66898546ffffff 33c0 66898548ffffff 58 6a63 668985d2fcffff }
            // n = 7, score = 300
            //   6a6f                 | push                0x6f
            //   66898546ffffff       | mov                 word ptr [ebp - 0xba], ax
            //   33c0                 | xor                 eax, eax
            //   66898548ffffff       | mov                 word ptr [ebp - 0xb8], ax
            //   58                   | pop                 eax
            //   6a63                 | push                0x63
            //   668985d2fcffff       | mov                 word ptr [ebp - 0x32e], ax

        $sequence_6 = { 66899570feffff 66899574feffff 5a 6a6d 58 6a69 66898500feffff }
            // n = 7, score = 300
            //   66899570feffff       | mov                 word ptr [ebp - 0x190], dx
            //   66899574feffff       | mov                 word ptr [ebp - 0x18c], dx
            //   5a                   | pop                 edx
            //   6a6d                 | push                0x6d
            //   58                   | pop                 eax
            //   6a69                 | push                0x69
            //   66898500feffff       | mov                 word ptr [ebp - 0x200], ax

        $sequence_7 = { 6689859afeffff 33c0 668955de 5a 6a61 6689bd86feffff }
            // n = 6, score = 300
            //   6689859afeffff       | mov                 word ptr [ebp - 0x166], ax
            //   33c0                 | xor                 eax, eax
            //   668955de             | mov                 word ptr [ebp - 0x22], dx
            //   5a                   | pop                 edx
            //   6a61                 | push                0x61
            //   6689bd86feffff       | mov                 word ptr [ebp - 0x17a], di

        $sequence_8 = { 8945f8 e8???????? 03c0 8bce 8bd0 e8???????? 6a0c }
            // n = 7, score = 300
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   03c0                 | add                 eax, eax
            //   8bce                 | mov                 ecx, esi
            //   8bd0                 | mov                 edx, eax
            //   e8????????           |                     
            //   6a0c                 | push                0xc

        $sequence_9 = { e8???????? 8bc8 e8???????? 3d15cffdb1 740b 46 3bf7 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   3d15cffdb1           | cmp                 eax, 0xb1fdcf15
            //   740b                 | je                  0xd
            //   46                   | inc                 esi
            //   3bf7                 | cmp                 esi, edi

    condition:
        7 of them and filesize < 131072
}
[TLP:WHITE] win_stealbit_w0   (20210818 | Detects Stealbit used by Lockbit 2.0 Ransomware Gang)
rule win_stealbit_w0 {
	meta:
		description = "Detects Stealbit used by Lockbit 2.0 Ransomware Gang"
		author = "Frank Boldewin (@r3c0nst)"
		reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar"
		date = "2021-08-12"
		hash1 = "3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d"
		hash2 = "bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit"
        malpedia_rule_date = "20210818"
        malpedia_hash = ""
        malpedia_version = "20210818"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$C2Decryption = {33 C9 8B C1 83 E0 0F 8A 80 ?? ?? ?? ?? 30 81 ?? ?? ?? ?? 41 83 F9 7C 72 E9 E8}
		
	condition:
		uint16(0) == 0x5A4D and filesize < 100KB and $C2Decryption
}
Download all Yara Rules