{
	"id": "974b0f66-d801-467d-abc7-979ac43c8f66",
	"created_at": "2026-04-06T00:10:58.21627Z",
	"updated_at": "2026-04-10T03:21:40.543769Z",
	"deleted_at": null,
	"sha1_hash": "2628e5f9163548e1ef4508da247d42142e4501af",
	"title": "https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38299,
	"plain_text": "https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt\r\nArchived: 2026-04-05 18:25:44 UTC\r\nDiscovery / credits: Malvuln - malvuln.com (c) 2022\r\nOriginal source: https://malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt\r\nContact: malvuln13@gmail.com\r\nMedia: twitter.com/malvuln\r\nThreat: Ransom.LockBit\r\nVulnerability: DLL Hijacking\r\nDescription: LockBit ransomware looks for and executes DLLs in its current directory. This can potentially all\r\nFamily: LockBit\r\nType: PE32\r\nMD5: 96de05212b30ec85d4cf03386c1b84af\r\nVuln ID: MVID-2022-0572\r\nDisclosure: 05/02/2022\r\nVideo PoC URL: https://www.youtube.com/watch?v=3i6tv4cpfSc\r\nExploit/PoC:\r\n1) Compile the following C code as \"netapi32.dll\"\r\n2) Place the DLL in same directory as Lockbit ransomware\r\n3) Optional - Hide it: attrib +s +h \"netapi32.dll\"\r\n4) Run Lockbit PE file\r\n#include \"windows.h\"\r\n#include \"stdio.h\"\r\n//By malvuln - 5/1/2022\r\n//Vuln: DLL Hijacking\r\n//Target: Lockbit Ransomware\r\n//MD5: 96de05212b30ec85d4cf03386c1b84af\r\n/** DISCLAIMER:\r\nAuthor is NOT responsible for any damages whatsoever by using this software or improper malware\r\nhandling. By using this code you assume and accept all risk implied or otherwise.\r\n**/\r\n//gcc -c netapi32.c -m32\r\n//gcc -shared -o netapi32.dll netapi32.o -m32\r\nBOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){\r\n switch (reason) {\r\n case DLL_PROCESS_ATTACH:\r\n MessageBox(NULL, \"Code Exec\", \"by malvuln\", MB_OK);\r\n TCHAR buf[MAX_PATH];\r\n GetCurrentDirectory(MAX_PATH, TEXT(buf));\r\n //printf(\"Current directory: %s\\n\", buf);\r\n //check the path, netapi32.dll is sideloaded by lockbit\r\nhttps://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt\r\nPage 1 of 2\n\nint rc = strcmp(\"C:\\\\Windows\\\\System32\", TEXT(buf));\r\n if(rc != 0){\r\n HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());\r\n if (NULL != handle) {\r\n TerminateProcess(handle, 0);\r\n CloseHandle(handle);\r\n }\r\n }\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nDisclaimer: The information contained within this advisory is supplied \"as-is\" with no warranties or guarantee\r\nSource: https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt\r\nhttps://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt"
	],
	"report_names": [
		"96de05212b30ec85d4cf03386c1b84af.txt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2628e5f9163548e1ef4508da247d42142e4501af.pdf",
		"text": "https://archive.orkl.eu/2628e5f9163548e1ef4508da247d42142e4501af.txt",
		"img": "https://archive.orkl.eu/2628e5f9163548e1ef4508da247d42142e4501af.jpg"
	}
}