{
	"id": "0bd5f3b8-99d6-4abb-a5a1-f13a435fa39a",
	"created_at": "2026-04-10T03:21:37.516726Z",
	"updated_at": "2026-04-10T03:22:18.186602Z",
	"deleted_at": null,
	"sha1_hash": "71ad6a128c9de2cbbabd18945fa5ae2d1294d457",
	"title": "Quick Overview of Leaked LockBit 3.0 (Black) builder program",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1379282,
	"plain_text": "Quick Overview of Leaked LockBit 3.0 (Black) builder program\r\nBy S2W\r\nPublished: 2022-09-23 · Archived: 2026-04-10 02:25:27 UTC\r\n6 min read\r\nSep 22, 2022\r\nAuthor: HuiSeong, Yang \u0026 Hyunsik, Jeong | S2W TALON\r\nLast Modified : Sep 22, 2022\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 1 of 8\n\nPhoto by Niranjan _ Photographs on Unsplash\r\nExecutive Summary\r\nAccording to a tweet from 3xp0rt, Ali Qushji was able to infiltrate LockBit’s server and acquire the builder\r\nfor the ransomware\r\nAccording to vx-underground, Proton, one of the programmers for the LockBit ransomware group,\r\nmentioned that the builder was leaked, but the tweet has now been deleted.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 2 of 8\n\nThe ransomware group indirectly admitted that the allegations above are true, saying that nothing has been\r\nhacked and that they have fired the coder.\r\nLockBit 3.0 Builder leaked by Ali Kushii and Proton are both shared on 3xp0rt’s Github.\r\nDetailed Analysis\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 3 of 8\n\nLockBit builder flowchart\r\n1. Build.bat\r\nBuild.bat creates an RSA public/private key pair by executing Keygen.exe , and Builder.exe that generates\r\na LockBit 3.0 ransomware using the generated key pair.\r\nERASE /F /Q %cd%\\Build\\*.*\r\nkeygen -path %cd%\\Build -pubkey pub.key -privkey priv.key\r\nbuilder -type dec -privkey %cd%\\Build\\priv.key -config config.json -ofile %cd%\\Build\\LB3Decryptor.exe\r\nbuilder -type enc -exe -pubkey %cd%\\Build\\pub.key -config config.json -ofile %cd%\\Build\\LB3.exe\r\nbuilder -type enc -exe -pass -pubkey %cd%\\Build\\pub.key -config config.json -ofile %cd%\\Build\\LB3_pas\r\nbuilder -type enc -dll -pubkey %cd%\\Build\\pub.key -config config.json -ofile %cd%\\Build\\LB3_Rundll32\r\nbuilder -type enc -dll -pass -pubkey %cd%\\Build\\pub.key -config config.json -ofile %cd%\\Build\\LB3_Run\r\nbuilder -type enc -ref -pubkey %cd%\\Build\\pub.key -config config.json -ofile %cd%\\Build\\LB3_Reflectiv\r\nexit\r\nPress enter or click to view image in full size\r\nCommand line description\r\nThe list of files created after execution is as follows.\r\nFiles created after executing Build.bat\r\n2. config.json\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 4 of 8\n\nconfig.json is a JSON configuration file that contains the setting values to be used when generating LockBit\r\n3.0 Encryptor and Decryptor.\r\nbot: Configuration about the bot feature stealing information from infected devices (Not used)\r\nconfig: Configuration values that determine the behaviors for the LockBit 3.0 ransomware\r\nPress enter or click to view image in full size\r\nConfiguration description\r\nwhite_folders: List of folders to exclude from encryption\r\nwhite_files: List of files to exclude from encryption\r\nwhite_extens: List of extensions to exclude from encryption\r\nwhite_hosts: List of hostnames to exclude from encryption\r\nkill_processes: List of processes to be terminated before encryption\r\nkill_services: List of services to be terminated before encryption\r\ngate_urls: List of URLs to be used as the C2 server\r\nimpers_accounts: List of credentials to be used for logon\r\nnote: Ransom note content\r\n~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~\r\n\u003e\u003e\u003e\u003e Your data are stolen and encrypted\r\nThe data will be published on TOR website if you do not pay the ransom\r\nLinks for Tor Browser:http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhttp://loc\r\n\u003e\u003e\u003e\u003e AdvertisementWould you like to earn millions of dollars $$$ ?Our company acquire access to netwo\r\nIf you want to contact us, write in jabber or tox.Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3\r\n3. Builder.exe\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 5 of 8\n\nBuilder.exe is a tool to generate LockBit 3.0 Encryptor and Decryptor. Encryptor and Decryptor are embedded\r\nin the resource section.\r\n100: LockBit 3.0 Decryptor (EXE)\r\n101: LockBit 3.0 Encryptor (EXE)\r\n103: LockBit 3.0 Encryptor (DLL)\r\n106: LockBit 3.0 Encryptor (Reflective DLL)\r\nThe parameters used during execution are as follows.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n-type\r\nenc: Generate Encryptor\r\ndec: Generate Decryptor\r\n-config\r\nConfiguration file path\r\n-exe, -dll, -ref(reflectiveDLL)\r\nFile type to be created\r\n-pass\r\nWhen creating an Encryptor, the password required to execute the Encryptor\r\nPasswords required to execute Encryptor are stored in Password_exe.txt and Password_dll.txt\r\nrespectively\r\n-pubkey, -privkey\r\nPath of the key file to be used when creating Encryptor and Decryptor\r\n-ofile\r\nFile path to save\r\n4. Keygen.exe\r\nKeygen.exe is a tool that generates key pairs required for encryption. The parameters used during execution are\r\nas follows.\r\n-path : Folder path to save generated key pair file\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 6 of 8\n\n-pubkey : File name to use for Encryptor as public key (256 bytes)\r\n— The first 128 bytes contain e value (fixed at 65537), and the last 128 bytes contain N value\r\n-privkey : File name to use for Encryptor as private key (256 bytes)\r\n— The first 128 bytes contain d value and the last 128 bytes contain N value\r\nKey generation is performed as follows.\r\nkeygen.exe is written based on MIRACL.\r\nGenerates an RSA-1024 key to encrypt the file encryption key, and the e value is fixed to 65537.\r\nWhen generating 512-bit prime numbers p and q, create a 256-byte seed with the rdrand x86 instruction.\r\nThen, pass the seed to the strong_init function of MIRACL to initialize the CSPRNG defined in\r\nmrstrong.c, and use the strong_bigdig function to get a 512-bit value, which will be used for generating a\r\nprime number.\r\nThe keygen.exe uses a modified version of MIRACL, which uses RIPEMD-160 instead of SHA-256\r\ninside the CSPRNG from mrstong.c.\r\nAfterward, a 16-byte Decryption ID is generated to identify the infected PC and stored in the\r\nDECRYPTION_ID.txt file.\r\nFile information\r\n1. Build.bat\r\nMD5 : 4e46e28b2e61643f6af70a8b19e5cb1f\r\nSHA-1 : 804a1d0c4a280b18e778e4b97f85562fa6d5a4e6\r\nSHA-256 : 8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339\r\nFileType : BAT\r\n2. config.json\r\nMD5 : a6ba7b662de10b45ebe5b6b7edaa62a9\r\nSHA-1 : f3ed67bdaef070cd5a213b89d53c5b8022d6f266\r\nSHA-256 : 3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8\r\nFileType : json\r\n3. Builder.exe\r\nMD5 : c2bc344f6dde0573ea9acdfb6698bf4c\r\nSHA-1 : d6ae7dc2462c8c35c4a074b0a62f07cfef873c77\r\nSHA-256 : a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db\r\nCreationTime : 2022–09–14 08:31:18\r\nFileType : EXE\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 7 of 8\n\n4. Keygen.exe\r\nMD5 : 71c3b2f765b04d0b7ea0328f6ce0c4e2\r\nSHA-1 : bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4\r\nSHA-256 : ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37\r\nCreationTime : 2022–09–09 08:58:31\r\nFileType : EXE\r\nSource: https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nhttps://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085"
	],
	"report_names": [
		"quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085"
	],
	"threat_actors": [],
	"ts_created_at": 1775791297,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71ad6a128c9de2cbbabd18945fa5ae2d1294d457.pdf",
		"text": "https://archive.orkl.eu/71ad6a128c9de2cbbabd18945fa5ae2d1294d457.txt",
		"img": "https://archive.orkl.eu/71ad6a128c9de2cbbabd18945fa5ae2d1294d457.jpg"
	}
}