Locky

Locky

• First seen: February 2016
• Aliases: ABCD
• Samples:
  • 03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761 | windows | ransom | pe

LockBit Windows Payload v3.0

Basic Properties

Property	Value
Size	188416 bytes
CRC32	0xf1df41e0
MD5	74dde1905eff75cf3328832988a785de
SHA1	7f2bc907de2471b98be5da4c0874e362606b8349
SHA256	03f6ab1b482eac4acfb793c3e8d0656d7c33cddb5fc38416019d526f43577761
SHA512	2aef6b49dfd49082e5c8015d48a1c438001552b4c8013f481e758ee9af12cfc69bc4cd1460251aa600f929864fffd1331f3ea7c08a721c9e4aa9378921d142e1
Ssdeep	3072:JPWbmlSwK8xBBooi+Soc4ZfvrkpRb5bMtFle83u9:Jua1tSofMx5bMNe83u
Magic	PE32 executable (GUI) Intel 80386, for MS Windows
Packer	PE: compiler: Microsoft Visual C/C++(6.0)[libcmt] PE: linker: Microsoft Linker(6.1*)[EXE32]
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)

Antivirus Scan

+ Avast: clean
+ Avira: clean
- Bitdefender: Trojan.Locky.C
- Clamav: Win.Ransomware.Locky-5
- Comodo: TrojWare.Win32.Ransom.Locky.D
- Drweb: Trojan.DownLoader19.28288
- Eset: Win32/Filecoder.Locky.A
- Fsecure: Heuristic.HEUR/AGEN.1316720
- Kaspersky: HEUR:Trojan.Win32.Generic
+ Mcafee: clean
- Sophos: Troj/Ransom-CHA
- Symantec: Ransom.TeslaCrypt
- Trendmicro: Ransom_LOCKY.SM3
- Windefender: Ransom:Win32/Locky.A

References

• https://www.malwarebytes.com/blog/news/2016/03/look-into-locky
• https://sensepost.com/blog/2016/understanding-locky/
• https://www.sternsecurity.com/blog/locky-ransomware-analysis/
• https://blog.avast.com/a-closer-look-at-the-locky-ransomware