{
	"id": "28f4e556-7232-4416-9ac6-24feafbfc71e",
	"created_at": "2026-04-06T00:11:37.537574Z",
	"updated_at": "2026-04-10T03:21:17.37633Z",
	"deleted_at": null,
	"sha1_hash": "ad058e929796c713771e61b174b1551196c915de",
	"title": "A technical analysis of the leaked LockBit 3.0 builder – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2860663,
	"plain_text": "A technical analysis of the leaked LockBit 3.0 builder – CYBER\r\nGEEKS\r\nPublished: 2022-09-22 · Archived: 2026-04-05 15:27:54 UTC\r\nSummary\r\nThis is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. The executable\r\ncalled “keygen.exe” can be used to generate the RSA public and private keys that are embedded in the encryptor\r\nand decryptor, respectively. The builder embedded 4 resources used to create executables or DLL files according\r\nto the command line parameters. As in the case of Conti leaks, we’ll probably encounter LockBit-forked\r\nransomware because of the builder’s availability.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: A736269F5F3A9F2E11DD776E352E1801BC28BB699E47876784B8EF761E0062DB\r\nThe builder (“builder.exe”) was compiled on September 13, 2022. The executable “keygen.exe” can be used to\r\ngenerate RSA public and private keys that are saved as “pub.key” and “priv.key”.\r\nThe RSA public/private key is Base64-encoded, as highlighted below:\r\nFigure 1\r\nThe process retrieves the command-line string using GetCommandLineW:\r\nFigure 2\r\nThe CommandLineToArgvW API is utilized to obtain an array of pointers to the command line arguments:\r\nFigure 3\r\nRunning with the -type dec -privkey priv.key -config config.json -ofile LB3Decryptor.exe parameters\r\nThe malware compares the parameters with “-type enc” (encryptor) and “-type dec” (decryptor) to decide which\r\nexecutable to generate:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 1 of 12\n\nFigure 4\r\nThe builder opens the RSA private key file by calling the CreateFileW function (0x80000000 =\r\nGENERIC_READ, 0x1 = FILE_SHARE_READ, 0x3 = OPEN_EXISTING, 0x80 =\r\nFILE_ATTRIBUTE_NORMAL):\r\nFigure 5\r\nThe process reads the above file content using the ReadFile API:\r\nFigure 6\r\nThe RSA private key is Base64-decoded by the malicious process:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 2 of 12\n\nFigure 7\r\nFigure 8\r\nThe executable parses the LockBit configuration file “config.json” that contains information such as the\r\nwhitelisted folders/files/extensions, the processes and services to stop, and the ransom note content:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 3 of 12\n\nFigure 9\r\nFigure 10\r\nThe malware implements a custom “hashing” function that computes a 4-byte value for each whitelisted\r\ndirectory/file/extension/host. An example of a function result is shown in figure 12.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 4 of 12\n\nFigure 11\r\nFigure 12\r\nThe resulting buffer containing the hashes is Base64-encoded by the builder, as shown in the figure below.\r\nFigure 13\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 5 of 12\n\nFigure 14\r\nFigure 15\r\nThe malicious executable can use two instructions to generate 2 random 4-byte values: RDRAND and RDSEED.\r\nFirstly, it checks if these instructions are supported by the processor and then generates the random bytes. An\r\nidentical implementation was also used by DarkSide ransomware, which could mean that the two groups\r\nborrowed the code from the same place:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 6 of 12\n\nFigure 16\r\nThe random values are combined with two hard-coded values, which are modified using simple operations such as\r\nOR:\r\nFigure 17\r\nFigure 18\r\nA buffer containing the RSA private key and the Base64-encoded string computed above is XOR-ed with the\r\nvalues generated using the 4-byte random values:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 7 of 12\n\nFigure 19\r\nFigure 20\r\nThe encrypted data will be embedded in the final decryptor.\r\nThe malware determines the location of the resource with ID = 100 using FindResourceW (0xA =\r\nRT_RCDATA):\r\nFigure 21\r\nThe resource is loaded into memory via a function call to LoadResource:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 8 of 12\n\nFigure 22\r\nThe builder has embedded 4 resources in the “.rsrc” section. We’ll give the details about the other resources in the\r\nfollowing paragraphs:\r\nFigure 23\r\nThe binary uses the undocumented RtlImageNtHeader function to retrieve the NT header of the resource:\r\nFigure 24\r\nThe section name called “.xyz” is replaced with “.data” by the process:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 9 of 12\n\nFigure 25\r\nThe CheckSumMappedFile method is used to compute the checksum of the extracted resource. The value will\r\npopulate the PE checksum field in the header:\r\nFigure 26\r\nThe builder creates the decryptor file called “LB3Decryptor.exe” using CreateFileW:\r\nFigure 27\r\nThe process writes the modified resource to the decryptor executable via a call to WriteFile:\r\nFigure 28\r\nRunning with the -type enc -exe (-pass) -pubkey pub.key -config config.json -ofile LB3.exe parameters\r\nWe only highlight the differences between this case and the first one. The builder extracts the resource with ID =\r\n101, and the encryptor will contain the RSA public key and the ransom note content. If it’s running with the “-\r\npass” parameter, the ransomware avoids sandboxes and increases the difficulty of the dynamic analysis.\r\nSentinelOne also analyzed the LockBit 3.0 ransomware and mentioned the “-pass” parameter.\r\nRunning with the -type enc -dll (-pass) -pubkey pub.key -config config.json -ofile LB3_Rundll32.dll\r\nparameters\r\nThe builder extracts the resource with ID = 103, and the encryptor will be a DLL file with multiple export\r\nfunctions (see figure 29).\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 10 of 12\n\nFigure 29\r\nRunning with the -type enc -ref -pubkey pub.key -config config.json -ofile LB3_ReflectiveDll_DllMain.dll\r\nparameters\r\nThe builder extracts the resource with ID = 106, and the encryptor will be a DLL file with a single export function.\r\nThe execution flows of the two different DLLs are similar, as highlighted in the figure below.\r\nFigure 30\r\nAccording to our preliminary analysis of the LockBit 3.0 encryptor, the builder is legit and, unfortunately, can\r\nrepresent a gold mine for cybercriminals. Please do not use the builder for malicious purposes because you’ll be\r\npersecuted according to the law.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 11 of 12\n\nSource: https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nhttps://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/"
	],
	"report_names": [
		"a-technical-analysis-of-the-leaked-lockbit-3-0-builder"
	],
	"threat_actors": [],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad058e929796c713771e61b174b1551196c915de.pdf",
		"text": "https://archive.orkl.eu/ad058e929796c713771e61b174b1551196c915de.txt",
		"img": "https://archive.orkl.eu/ad058e929796c713771e61b174b1551196c915de.jpg"
	}
}