{
	"id": "79a9b92d-b633-4c1e-a4ec-39f06955b9ff",
	"created_at": "2026-04-06T00:06:12.607225Z",
	"updated_at": "2026-04-10T03:20:21.55118Z",
	"deleted_at": null,
	"sha1_hash": "af87eead788e5f28e7f9c14189bcf1e32f7ea177",
	"title": "THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3523018,
	"plain_text": "THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The\r\nStealBit Exfiltration Tool\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 22:35:23 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform\r\non impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations\r\nfor protecting against them. \r\nIn this Threat Analysis report, the GSOC investigates the StealBit malware, a data exfiltration tool that the\r\nLockBit threat group develops and maintains. The LockBit group provides StealBit to affiliates as part of the\r\ngroup’s ransomware affiliate program. Ransomware operators use StealBit to exfiltrate data from compromised\r\nsystems for double extortion purposes. \r\nThis report provides an in-depth insight into the functionalities and architecture of StealBit as well as the\r\nevolution of relevant configuration and implementation aspects of StealBit across different samples. The detailed\r\ninsight into how StealBit works and evolves is important for the timely detection of ransomware attack operations\r\nthat involve StealBit at the point when malicious actors exfiltrate data before deploying ransomware.\r\nStealBit Malware Key Points\r\nFeature updates and widened target base: A comparative analysis between relatively older and newer StealBit\r\nsamples shows that StealBit has been undergoing improvement with new features, especially evasion and hiding\r\nfeatures. In addition, although older samples do not execute on systems located in the former Soviet countries\r\nRussia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan,\r\nUzbekistan, and Moldova, newer StealBit samples do not implement this restriction and execute on any system. \r\nDeveloped for maximum data exfiltration efficiency: StealBit implements the Microsoft input/output (I/O)\r\ncompletion port threading model to maximize the overall efficiency of data exfiltration activities. For example,\r\nStealBit parallelizes the exfiltration of the content of multiple files to shorten the overall exfiltration timespan.\r\nThis is important to ransomware operators, since fast data exfiltration reduces the chances of being discovered in\r\nthe process.\r\nDeveloped for maximum usage convenience and scalability: StealBit implements interprocess communication\r\n(IPC) between multiple StealBit processes that run on a single compromised system to designate many files for\r\nexfiltration in a scalable manner. In addition, StealBit supports dragging and dropping of files or folders for\r\nexfiltration to StealBit windows in scenarios where the StealBit operators have access to the graphical user\r\ninterface of compromised systems. This feature enables StealBit operators to designate many files for exfiltration\r\nin a convenient and scalable manner.\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 1 of 25\n\nSomewhat incomplete implementation: The implementation of some StealBit features that we analyzed is not\r\ncomplete. This includes features that the LockBit threat group advertises as advantageous to alternative\r\nexfiltration tools on the underground market, such as compression of exfiltrated data and a hidden mode of\r\noperation. For example, a recent StealBit sample that we analyzed does not compress exfiltrated data and does not\r\nproperly hide the windows that StealBit creates, making the malware visible in the graphical user interface of the\r\ncompromised system.\r\nStealBit Malware Detected and prevented: The Cybereason XDR Platform effectively detects and prevents\r\nStealBit when the malware exfiltrates data, and also detects and prevents the execution of the related LockBit\r\nransomware, which LockBit affiliates may execute after they use StealBit to exfiltrate data for double extortion. \r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards\r\nattacks that involve ransomware and data exfiltration tools, such as StealBit, and categorizes such attacks as\r\ncritical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to customers\r\nwhen such an incident occurs. The report provides an in-depth overview of the incident, which helps to scope the\r\nextent of compromise and the impact on the customer’s environment. In addition, the report provides attribution\r\ninformation when possible as well as recommendations for mitigating and isolating the threat.\r\nStealBit Malware Introduction\r\nThe traditional ransomware extortion tactic, where malicious actors demand payment for decrypting data that the\r\nactors have encrypted using ransomware, does not always work as intended. Victims may not pay ransom for\r\nseveral reasons, such as lack of financial resources, concerns that ransomware operators may not decrypt the data,\r\nor the availability of backups of the encrypted data. \r\nTherefore, many modern ransomware operators use a double extortion tactic: ransomware operators exfiltrate data\r\nfrom compromised systems before encrypting the data, and if the victim refuses to pay ransom for data\r\ndecryption, the malicious actors threaten to leak the exfiltrated data online or sell the data for profit. \r\nThe proliferation of double extortion on the ransomware scene marks a major turning point in the evolution of the\r\nransomware threat, with ransomware actors massively joining in on the trend. For example, in June 2021,\r\nTrendMicro reported that it has observed 35 ransomware families that use double extortion — with a growing\r\ntendency. \r\nSince the double extortion tactic relies on exfiltrated data, data exfiltration tools are crucial to ransomware\r\noperators that use this tactic. Ransomware operators use publicly available tools for data exfiltration, such as\r\nRclone, as well as custom data exfiltration tools that are intended specifically for use in ransomware operations.\r\nSome custom data exfiltration tools are Ryuk Stealer, the recently discovered Exmatter, and StealBit. \r\nThe StealBit malware is a data (file content) exfiltration tool that the LockBit threat group develops and\r\nmaintains. StealBit exfiltrates file content to remote attacker-controlled endpoints for double extortion purposes.\r\nIn addition to StealBit, the LockBit threat group develops and maintains the LockBit ransomware, which has a\r\nstrong presence on the ransomware threat scene. \r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 2 of 25\n\nAs of June 2021, the LockBit group runs a ransomware affiliate program, LockBit 2.0, which provides access to\r\nthe LockBit ransomware and the StealBit data exfiltration tool to affiliates. As part of affiliate recruitment efforts,\r\nthe LockBit group advertises the features of the LockBit ransomware and StealBit by comparing the ransomware\r\nand StealBit to alternative solutions. The LockBit group claims that StealBit is superior, especially in terms of data\r\nexfiltration speed:\r\nThe LockBit group advertises StealBit (source: KELA, Twitter)\r\nThis report discusses the implementation of StealBit and its internal working principles. In addition, this report\r\nprovides an overview of the evolution of relevant configuration and implementation aspects of StealBit across\r\ndifferent StealBit samples. Previous research documents some aspects of the implementation of StealBit, with a\r\nfocus on automating the de-obfuscation of relevant StealBit configuration: the IP addresses of the attacker-controlled endpoints to which StealBit exfiltrates file content. \r\nThis report provides an in-depth and comprehensive insight into the functionalities, architecture, and evolution of\r\nStealBit. The detailed insight into how StealBit works and evolves is important to build proper detection and\r\nprotection strategies against the malware. This, in turn, is crucial for the timely detection of ransomware\r\noperations that involve StealBit at the point when malicious actors exfiltrate data before deploying ransomware.\r\nStealBit Malware Analysis\r\nThe Deep Dive Analysis section discusses the implementation of StealBit and its internal working principles. In\r\nthis section, we focus on a recent StealBit sample with a Secure Hash Algorithm (SHA)-256 hash of\r\n6c9a92955402c76ab380aa6927ad96515982a47c05d54f21d67603814d29e4a5. The Comparative Analysis section\r\ncompares different StealBit samples to provide an overview of the evolution of relevant configuration and\r\nimplementation aspects of StealBit across the samples.\r\nStealBit Malware Deep Dive Analysis \r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 3 of 25\n\nStealBit first checks whether the StealBit process runs in the context of a debugger by evaluating the value of the\r\nNtGlobalFlag field of the Process Environment Block (PEB). If the value of NtGlobalFlag is 0x70, StealBit\r\nexecutes an empty infinite loop:\r\nStealBit detects the presence of a debugger\r\nStealBit then de-obfuscates the filenames of the dynamic-link libraries (DLLs) advapi32, gdi32, gdiplus, shell32,\r\nntdll, ole32, user32, shlwapi, kernel32, and ws2_32 and loads the libraries by executing the LoadLibraryExA\r\nfunction. StealBit stores the XOR obfuscated filenames of these DLLs in the malware’s executable file:\r\nStealBit loads DLLs\r\nStealBit then decrypts RC4-encrypted strings that the malware stores in the malware’s executable file. StealBit\r\nuses these strings for different purposes throughout the malware’s operation. For example, one string specifies a\r\nWindows command that StealBit executes, another string specifies the path to a named pipe file that StealBit\r\ncreates, and StealBit displays some of the strings to the malware operator. We discuss these aspects of the StealBit\r\noperation in greater detail later in this section:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 4 of 25\n\nStealBit decrypts RC4-encrypted strings\r\nStealBit then configures the process to not display certain Windows error messages by invoking the\r\nNtSetInformationProcess function and parses the command line parameters that the StealBit operator may have\r\nspecified. The table below lists the command line parameters that StealBit supports. We discuss the exact impact\r\nof these command line parameters on the execution of StealBit in greater detail later in this section:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 5 of 25\n\nCommand\r\nline\r\nparameter\r\nDescription\r\nRequired /\r\noptional\r\nDefault value\r\n\u003cpath to file\r\nor folder\u003e\r\nThis parameter specifies the filesystem path to\r\nthe file or the folder whose content StealBit is to\r\nexfiltrate. Setting this parameter configures\r\nStealBit to read and exfiltrate the content of the\r\nfile, or the content of the files placed in the\r\nfolder. \r\nRequired none\r\n-hide/-h yes/y\r\n| no/n\r\nThis parameter controls the visibility of the\r\ngraphical user interface of StealBit—that is, this\r\nparameter hides (yes/y) or displays (no/n)\r\nwindows that StealBit creates. \r\nOptional\r\nno/n: StealBit displays\r\nwindows\r\n-delete/-d\r\nyes/y | no/n\r\nThis parameter configures StealBit to self-delete\r\n(yes/y)—that is, to delete the executable file that\r\nimplements StealBit from the filesystem of the\r\ncompromised system when StealBit is finished\r\nexecuting—or not to self-delete (no/n).\r\nOptional\r\nno/n: StealBit does not\r\nself-delete\r\n-net/-n\r\n\u003ctransfer\r\nrate\u003e\r\n-once/-o\r\n\u003ctransfer\r\nrate\u003e\r\nThis parameter configures StealBit to exfiltrate\r\nfile content at the specified rate, where rate is an\r\namount of exfiltrated file content in KBs, MBs,\r\nor GBs, over 15 seconds. \r\nOptional\r\nunlim: there is no file\r\ncontent exfiltration rate\r\n-skipfiles\r\nyes/y | no/n\r\nThis parameter configures StealBit to not\r\nexfiltrate the content of files with specific\r\nfilename extensions (no/n). \r\nOptional\r\nyes/y: StealBit does not\r\nconsider the filename\r\nextensions of files as a\r\ncriterion for file content\r\nexfiltration\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 6 of 25\n\n-skipfolders\r\nyes/y | no/n\r\nThis parameter configures StealBit to not\r\nexfiltrate the content of files that are placed in\r\nspecific folders (no/n). \r\nOptional\r\nyes/y: StealBit does not\r\nconsider folders as a\r\ncriterion for file content\r\nexfiltration\r\n-file/-f \u003cfile\r\nsize\u003e\r\nThis parameter configures StealBit to exfiltrate\r\nthe content of only those files of a size equal to,\r\nor less than the specified file size in KBs, MBs,\r\nor GBs. \r\nOptional\r\nunlim: there is no\r\nmaximum file size for\r\nfile content exfiltration\r\nExamples\r\nstealbit.exe C:\\Users\\user\\Desktop\\file.db -hide y -skipfiles n\r\nstealbit.exe C:\\Users\\user\\Desktop\\ -net 5MB -delete y -h y -skipfolders n -file 2GB\r\nThe command line parameters that StealBit supports\r\nAfter parsing command line parameters, StealBit creates or opens the named pipe file \\??\\pipe\\STEALBIT-MASTER-PIPE. The path to the named pipe file is one of the strings that StealBit has previously decrypted using\r\nthe RC4 algorithm. \r\nIf the current StealBit instance is the first one that the malware’s operator has executed on the compromised\r\nsystem, StealBit creates the named pipe file STEALBIT-MASTER-PIPE by invoking the NtCreateNamedPipeFile\r\nfunction and assumes the role of a named pipe server. \r\nWe refer to this StealBit instance as a StealBit named pipe server. If not, StealBit opens the named pipe file\r\nSTEALBIT-MASTER-PIPE by invoking the NtCreateFile function and assumes the role of a named pipe client. We\r\nrefer to this StealBit instance as a StealBit named pipe client. \r\nIn summary, StealBit implements named pipe-based IPC between multiple StealBit processes that run on a single\r\ncompromised system. We show later in this section that this enables StealBit operators to designate many files for\r\nexfiltration in a scalable manner by executing StealBit named pipe clients with the \u003cpath to file or folder\u003e\r\ncommand line parameter set to the paths to the files. This makes the overall process for exfiltrating the content of\r\nmultiple files convenient and efficient for StealBit operators:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 7 of 25\n\nStealBit creates or opens the named pipe file STEALBIT-MASTER-PIPE\r\nAt this point in the execution flow of StealBit, the execution of a StealBit instance that assumes the role of a\r\nnamed pipe server diverges from the execution of a StealBit instance that assumes the role of a named pipe client.\r\nThe StealBit Named Pipe Server section discusses the former and the StealBit Named Pipe Client section\r\ndiscusses the latter.\r\nStealBit Named Pipe Server\r\nAfter creating the named pipe file STEALBIT-MASTER-PIPE, the StealBit named pipe server creates and starts\r\ntwo threads: one that creates two windows, and one that shows a message about exfiltration progress. \r\nThe first thread creates two windows by invoking the CreateWindowExW function. The first window is a top-level, parent window, with a title of StealBit 1.1. The second window is a child window of the top-level window\r\nand is therefore confined to the area of the parent window. The child window can display formatted text, and this\r\nwindow displays the output of StealBit to the malware operator. \r\nWe emphasize that setting the -hide/-h command line parameter to yes/y hides only the child window, while the\r\nparent window is still visible. This indicates that the implementation of the window hiding feature of StealBit—\r\nthat is, of the -hide/-h command line parameter—is not complete, because it does not make StealBit invisible in\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 8 of 25\n\nthe Windows graphical user interface by hiding all windows that StealBit creates. This contradicts the claim of the\r\nLockBit group that StealBit hides its presence on compromised systems:\r\nLockBit claims that StealBit hides its presence on compromised systems (source: KELA, Twitter)\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 9 of 25\n\nStealBit displays windows when the malware operator sets the command line parameter -hide/-h to no/n (upper\r\nimage) and yes/y (lower image)\r\nThe parent StealBit window supports dragging and dropping files or folders and the F2 and Shift+F2 hotkeys.\r\nPressing the F2 key closes the parent and child window without terminating execution, which effectively makes\r\nStealBit invisible in the Windows graphical user interface. \r\nPressing the key combination Shift+F2 has no effect. Dragging and dropping a file or folder into the parent\r\nStealBit window is equivalent to specifying the \u003cpath to file or folder\u003e command line parameter. The drag and\r\ndrop activity causes StealBit to read and exfiltrate the content of the dropped file, or the content of the files placed\r\nin the dropped folder, in a way that we discuss later in this section. \r\nThe drag and drop feature enables malicious actors to conveniently provide many file or folder paths to StealBit\r\nfor file content exfiltration in scenarios where the StealBit operators have access to the graphical user interface of\r\ncompromised systems, such as through an Remote Desktop Protocol (RDP) session. This makes the overall\r\nprocess for exfiltrating the content of many files practically convenient and scalable for StealBit operators.\r\nThe second thread is active during the overall operation of StealBit and displays a message in the StealBit window\r\nthat informs the operator about the progress of file content exfiltration when exfiltration takes place. In the form of\r\na format string, the message is: Stats: %I64d files (size %S), read speed %S/sec (compression ratio %I64d%%),\r\nupload %S/sec. This format string is one of the strings that StealBit has previously decrypted using the RC4\r\nalgorithm.\r\nAfter creating and starting the two threads, StealBit displays the values of the configuration settings that StealBit\r\noperators can configure by setting the values of the StealBit command line parameters. In addition, StealBit\r\ndisplays the computer name of the compromised system and the name of the domain to which the system belongs\r\n(if any; see the figure above). \r\nStealBit then initializes the Windows Socket networking library, which StealBit uses for communication with the\r\nattacker-controlled endpoints to which StealBit may exfiltrate file content. StealBit de-obfuscates five IP addresses\r\nof these endpoints, which the malware stores in XOR obfuscated form in the StealBit executable file. StealBit also\r\nstores a string that uniquely identifies the set of the endpoint IP addresses across StealBit samples, such as DI0AN.\r\nWe refer to this string as the StealBit configuration ID:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 10 of 25\n\nStealBit de-obfuscates IP addresses of attacker-controlled endpoints to which StealBit may exfiltrate file content\r\nStealBit Malware Threading: I/O Completion Port\r\nAfter initializing the Windows Socket library, StealBit establishes its core functionality: the Microsoft I/O\r\ncompletion port threading model for processing multiple asynchronous I/O requests in parallel. StealBit\r\nimplements the I/O completion port threading model to maximize the overall efficiency of file content exfiltration\r\nactivities on compromised systems. For example, as we show later in this section, StealBit parallelizes the\r\nexfiltration of the content of multiple files to shorten the overall exfiltration timespan. This is important to\r\nransomware operators, since fast data exfiltration reduces the chances of being discovered in the process.\r\nThe I/O completion port threading model works by creating an I/O completion port and associating one or more\r\nfile handles with that port. When an asynchronous I/O operation on one of these file handles completes, the\r\nWindows operating system queues to the port an I/O completion packet:\r\nI/O completion packets carry information about the I/O operation. The application can then process I/O\r\ncompletion packets by removing them from the queue in a first-in-first-out (FIFO) order. In addition to a file\r\nhandle, an application may associate a handle-specific I/O completion key with an I/O completion port. I/O\r\ncompletion keys can carry arbitrary data, which is typically data related to the handle. The figure below depicts\r\nthe I/O completion port threading model that StealBit implements:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 11 of 25\n\nStealBit implements the I/O completion port threading model\r\nStealBit creates an I/O completion port by invoking the ZwCreateIoCompletion function. StealBit also creates\r\nthreads for processing I/O completion packets that Windows queues to the port, which we refer to as StealBit\r\nworker threads. StealBit creates as many worker threads as processors are available on the compromised system.\r\nStealBit then associates three file handles (and I/O completion keys) with the I/O completion port by invoking the\r\nZwSetInformationFile function: \r\nA handle to the socket to an attacker-controlled endpoint to which StealBit exfiltrates file content:\r\nThis assigns available worker threads to handle the communication with the attacker-controlled\r\nendpoint. StealBit attempts to connect to each of the five IP addresses that the malware has de-obfuscated. If StealBit cannot establish a connection to any of these IP addresses, the malware\r\nindefinitely attempts to establish a connection. If the connection to one of these IP addresses\r\nsucceeds, StealBit opens a socket to the attacker-controlled endpoint and associates the socket\r\nhandle and an I/O completion key with the I/O completion port. In addition, to make static analysis\r\ndifficult, StealBit obtains an address to the TransmitPackets function at runtime by invoking the\r\nWSAIoctl function. The TransmitPackets function is crucial to StealBit, since the malware uses this\r\nfunction to exfiltrate file content. WSAIoctl returns an address to TransmitPackets if an application\r\nprovides the globally unique identifier (GUID) of the TransmitPacket function, {0D689DA0-1F90-\r\n11D3-9971-00C04F68C876}, as a parameter to WSAIoctl:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 12 of 25\n\nStealBit obtains an address to the TransmitPackets function at runtime\r\nA handle to the named pipe STEALBIT-MASTER-PIPE: This assigns available worker threads to\r\nhandle the communication with StealBit named pipe clients. The section StealBit Named Pipe\r\nClient discusses the activities that the worker threads conduct when StealBit named pipe clients\r\nsend data to the StealBit named pipe server. \r\nA handle to a file whose content StealBit is to exfiltrate: This assigns available worker threads to\r\nhandle file content exfiltration upon successful file read operations on the file. This parallelizes file\r\ncontent exfiltration and shortens the overall timespan of file content exfiltration activities. In\r\naddition to exfiltrating read file content, it is the StealBit named pipe server, and not the StealBit\r\nnamed pipe client, that reads file content for exfiltration purposes. \r\nStealBit Malware File Content Exfiltration\r\nThe StealBit named pipe server reads and exfiltrates the content of the file or the folder, whose file system path is\r\neither provided by a StealBit named pipe client or specified as the value of the \u003cpath to file or folder\u003e command\r\nline parameter by the StealBit operator. Section StealBit Named Pipe Client discusses the communication between\r\nthe StealBit named pipe server and client in more detail. \r\nIf the StealBit operator has specified a file path as the value of the \u003cpath to file or folder\u003e command line\r\nparameter, the StealBit named pipe server first evaluates whether the path leads to a file or a folder. If the path\r\nleads to a file, StealBit reads the content of the file only if the file meets one or more of these requirements:\r\nThe length of the name of the file is less than, or equal to, four characters.\r\nThe filename extension of the file is not present in a list of filename extensions, which StealBit\r\nstores in hashed format in the malware’s executable file. StealBit enforces this criterion only if the\r\nStealBit operator has set the -skipfiles command line parameter to no/n.\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 13 of 25\n\nIn addition, the size of the file has to be less than or equal to 0.53 GB. The command line parameter -file/-f does\r\nnot have an impact on the execution of the StealBit sample that we analyzed. This indicates that the\r\nimplementation of the -file/-f command line parameter is not complete.\r\nIf the path leads to a folder, StealBit iterates the folder recursively to enumerate files placed in the folder and sub-folders. If the StealBit operator has set the -skipfolders command line parameter to no/n, StealBit enumerates files\r\nonly from those folders that are not present in a list of folders, which StealBit stores in hashed format in the\r\nmalware’s executable file. After enumerating the files in a folder, StealBit reads the content of each file, except the\r\ncontent of system files (FILE_ATTRIBUTE_SYSTEM), if the above conditions are fulfilled. \r\nBefore reading content from a file, StealBit opens the file and then associates the handle to the file and an I/O\r\ncompletion key with the I/O completion port that StealBit has created. StealBit invokes the ZwReadFile function\r\nto read the content of the file in equal-sized blocks. StealBit calculates the block size as a function of the total file\r\nsize—the bigger the file, the bigger the block size.\r\nEach successful file content read operation issues an I/O completion packet to the I/O completion port. The\r\navailable worker threads process this packet and exfiltrate the file content to an attacker-controlled endpoint using\r\nthe TransmitPackets function, whose address StealBit has previously obtained. \r\nTo evade exfiltration detection mechanisms that monitor the amount of sent data to remote endpoints over time,\r\nStealBit operators can configure StealBit to exfiltrate file content at a given rate (amount of exfiltrated file content\r\nover 15 seconds) by configuring the -net/-n or -once/-o command line parameters. These parameters control the\r\nfile content exfiltration rate by controlling the rate at which StealBit reads file content.\r\nAs we mentioned earlier, the file read activity issues I/O completion packets to the StealBit I/O completion port\r\nand instructs available worker threads to exfiltrate the read content. StealBit controls the file content reading rate\r\nby delaying invocations of the ZwReadFile function for continuously adjusted time periods, such that the total\r\namount of read file content over 15 seconds does not exceed the exfiltration rate that the StealBit operator has\r\nspecified. \r\nEvery time StealBit reads file content using the ZwReadFile function, available StealBit worker threads exfiltrate\r\nthe read file content by issuing the Hypertext Transfer Protocol 1.1 (HTTP 1.1) PUT request to an attacker-controlled endpoint. StealBit stores exfiltrated file content on the attacker-controlled endpoint as a resource that\r\nhas a random name, which StealBit generates for each file whose content the malware exfiltrates (for example,\r\n03E76A538… in the figure below). The data that StealBit sends to the attacker-controlled endpoint includes:\r\nA Distributed Authoring and Versioning 2 (DAV2) header (DAV2... in the figure below)\r\nThe StealBit configuration ID (for example, DI0AN in the figure below)\r\nThe computer name of the compromised system and the name of the domain (if any) to which the\r\nsystem belongs (for example, NODOMAIN and DESKTOP-PUK8BTP in the figure below)\r\nThe absolute path to the file whose content StealBit exfiltrates (for example, C:\\Users\\\r\n\u003cuser\u003e\\Desktop\\SB_6c9a\\testfile.txt in the figure below)\r\nThe file content that StealBit exfiltrates (for example, Hello. This is a test file. in the figure below). \r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 14 of 25\n\nThe file content is not compressed. This contradicts the claim of the LockBit threat group that StealBit compresses\r\nexfiltrated file content:\r\nLockBit claims that StealBit compresses exfiltrated file content (source: KELA, Twitter)\r\nStealBit exfiltrates uncompressed file content\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 15 of 25\n\nThe StealBit sample that we analyzed does not execute indefinitely in order to keep the StealBit worker threads\r\nthat handle I/O completion packets active in a typical server fashion. To the contrary, after creating worker threads\r\nand establishing the I/O completion port threading model, StealBit processes the \u003cpath to file or folder\u003e\r\ncommand line parameter and exfiltrates file content if the StealBit operator has specified a valid parameter value. \r\nStealBit then waits until the worker threads have processed all I/O completion packets, and then closes the named\r\npipe file STEALBIT-MASTER-PIPE. Next, depending on the value of the -delete/-d command line parameter,\r\nStealBit empties the content of its executable file and deletes the file. StealBit conducts these activities by\r\ninvoking the ShellExecuteExW function to execute these commands, where \u003cfile size\u003e is the size of the StealBit\r\nexecutable file in bytes and \u003cfile path\u003e is the path to the StealBit executable file: \r\nping 127.0.0.7 -n 7 \u003e Nul\r\nfsutil file setZeroData offset=0 length=\u003cfile size\u003e \u003cfile path\u003e\r\ndel /f /q \u003cfile path\u003e\r\nFinally, StealBit terminates its execution:\r\nStealBit deletes its executable file\r\nStealBit Malware Named Pipe Client\r\nAfter opening the named pipe file STEALBIT-MASTER-PIPE, the StealBit named pipe client delegates file content\r\nreading and exfiltration to the StealBit named pipe server. To do this, the StealBit named pipe client communicates\r\nwith the StealBit named pipe server by following a communication protocol. \r\nThe figure below depicts this protocol. When a StealBit named pipe client sends data to a StealBit named pipe\r\nserver, this action issues an I/O completion packet to the I/O completion port that the StealBit named pipe server\r\ncreates (see section StealBit Named Pipe Server). The worker threads of the StealBit named pipe server then\r\nprocess this packet. The StealBit named pipe server uses the worker threads that handle the communication with\r\nStealBit named pipe clients to conduct the server's activities that are depicted in the figure below:\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 16 of 25\n\nThe StealBit named pipe client communicates with the StealBit named pipe server\r\nAfter opening STEALBIT-MASTER-PIPE and therefore connecting to the StealBit named pipe server, the StealBit\r\nnamed pipe client sends the four bytes 00 00 00 00 to the server to announce the client's presence. The StealBit\r\nnamed pipe server keeps track of the state of the connection. When the StealBit named pipe client announces\r\nitself, the server acknowledges the client's presence by updating the state of the connection to indicate successful\r\nclient connection.\r\nThe StealBit named pipe client then processes the value of the \u003cpath to file or folder\u003e command line parameter in\r\nthe same manner as the StealBit named pipe server (see section StealBit Named Pipe Server). However, in\r\ncontrast to the StealBit named pipe server, the StealBit named pipe client does not read and exfiltrate file content,\r\nbut delegates this task to the server as follows:\r\nThe client sends the four bytes 01 00 00 00 to the server to indicate that the client is about to send a\r\nfile path to the server. This file path is the path to the file whose content the server is to read and\r\nexfiltrate. The StealBit named pipe server acknowledges the communication by updating the state of\r\nthe connection to indicate the incoming file path.\r\nThe client sends four bytes to the server such that the bytes specify the length of the file path in a\r\nnull-terminated Unicode string format. For example, the client sends the bytes 3E 00 00 00 to the\r\nserver when the client is about to send the file path C:\\Users\\user\\Desktop\\file.txt to the server\r\n(0x3E in hexadecimal format is 62 in decimal format). The StealBit named pipe server updates the\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 17 of 25\n\nstate of the connection and allocates a virtual memory region of a size that is the same as the file\r\npath length that the client has sent. \r\nThe client sends the file path to the server. The StealBit named pipe server updates the state of the\r\nconnection, stores the file path in the previously allocated memory region, and then reads and\r\nexfiltrates the content of the file at the file path (see section StealBit Named Pipe Server). \r\nDelegating file content reading and exfiltration to the StealBit named pipe server enables malicious\r\nactors to designate many files for exfiltration in a scalable manner by executing StealBit named pipe\r\nclients with the \u003cpath to file or folder\u003e command line parameter set to the paths to the files.\r\nThe StealBit named pipe client then closes the connection to the server and, depending on the value of the -\r\ndelete/-d command line parameter, deletes its executable file in the same manner as the StealBit named pipe\r\nserver. The StealBit named pipe client then terminates its execution. The command line parameters -hide/-h, -net/-\r\nn, and -once/-o do not have an impact on the execution of the StealBit named pipe client. \r\nStealBit Malware Comparative Analysis \r\nThe table below lists selected StealBit samples that represent StealBit samples that the security community has\r\nobserved at the time of writing of this report, in terms of the  configuration and implementation aspects of StealBit\r\nthat are in the scope of this report. For referencing purposes, each sample has a codename with the prefix SB_ and\r\na suffix that is the first four hexadecimal numbers of the sample’s SHA-256 hash:\r\nSB_3407\r\nSHA-256 Hash 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d\r\nFirst submission to\r\nVirusTotal\r\n2021-08-06\r\nSB_107d\r\nSHA-256 Hash 107d9fce05ff8296d0417a5a830d180cd46aa120ced8360df3ebfd15cb550636\r\nFirst submission to\r\nVirusTotal\r\n2021-09-09\r\nSB_6c9a\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 18 of 25\n\nSHA-256 Hash 6c9a92955402c76ab380aa6927ad96515982a47c05d54f21d67603814d29e4a5\r\nFirst submission to\r\nVirusTotal\r\n2021-11-08\r\nSB_6b9a\r\nSHA-256 Hash 6b9aa479a5f9c6bfee52046c1afa579977dfcde868fdad3f18fdcd1779535068\r\nFirst submission to\r\nVirusTotal\r\n2021-11-26\r\nRepresentative StealBit samples\r\nThe tables below compare the selected StealBit samples (column ‘Sample’) considering the following\r\nconfiguration and implementation aspects:\r\nIP addresses and geolocations of attacker-controlled endpoints to which StealBit exfiltrates data\r\n(column ‘IP addresses’ and ‘Location’).\r\nThe debugger detection method that StealBit implements as an anti-analysis measure (column\r\n‘Debugger detection’).\r\nCommand line parameters and the respective malware features (column ‘Command line\r\nparameters’).\r\nA named pipe IPC infrastructure that makes exfiltrating the content of multiple files practically\r\nconvenient and efficient for StealBit operators (column ‘IPC’).\r\nThe I/O completion port threading model to maximize the overall efficiency of data exfiltration\r\nactivities (column ‘I/O completion’).\r\nConditions for execution and file content exfiltration (column ‘Execution conditions’):\r\nSample IP addresses Location\r\nSB_3407 88.80.147[.]102\r\n168.100.11[.]72\r\n139.60.160[.]200\r\n193.38.235[.]234\r\nBulgaria\r\nThe Netherlands\r\nUnited States\r\nRussia\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 19 of 25\n\nSample IP addresses Location\r\n174.138.62[.]35 United States\r\nSB_107d\r\n93.190.139[.]223\r\n168.100.11[.]72\r\n139.60.160[.]200\r\n193.38.235[.]234\r\n174.138.62[.]35\r\nThe Netherlands\r\nThe Netherlands\r\nUnited States\r\nRussia\r\nUnited States\r\nSB_6c9a 185.182.193[.]120 The Netherlands\r\nSB_6b9a 185.182.193[.]120 The Netherlands\r\nComparison of StealBit samples: Attacker-controlled endpoints\r\nSample\r\nDebugger\r\ndetection\r\nCommand line parameters IPC\r\nI/O\r\ncompletion\r\nExecution\r\nconditions\r\nSB_3407\r\nNtGlobalFlag \r\n\u003cpath to file or folder\u003e\r\nYes Yes\r\nLocation\r\nSB_107d \u003cpath to file or folder\u003e Location\r\nSB_6c9a\r\n\u003cpath to file or folder\u003e, -hide/-h, -\r\ndelete/d, -net/-n, -once/-o, -\r\nskipfiles, -skipfolders, -file/-f\r\nNone\r\nSB_6b9a\r\n\u003cpath to file or folder\u003e, -hide/-h, -\r\ndelete/-d, -net/-n, -once/-o, -\r\nskipfiles, -skipfolders, -file/-f\r\nNone\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 20 of 25\n\nComparison of StealBit samples\r\nThe majority of the attacker-controlled endpoints to which the StealBit samples that we analyzed exfiltrate data\r\nare located in western countries, with the Netherlands and the United States at the top of the list. All StealBit\r\nsamples implement named pipe-based IPC and the I/O completion port threading model for maximum exfiltration\r\nefficiency, usage convenience, and scalability. In addition, all StealBit samples detect the presence of a debugger\r\nattached to the StealBit process by evaluating the value of the NtGlobalFlag field of the PEB and execute an\r\nempty infinite loop if a debugger is present.\r\nOlder Versus Newer Versions of StealBit Malware\r\nA major difference between the StealBit samples that we analyzed is the command line parameters and the\r\nrespective malware features that the samples support. Relatively older StealBit samples do not support the\r\ncommand line parameters -hide/-h, -delete/-d, -net/-n, -once/-o, -skipfiles, -skipfolders, and -file/-f and the features\r\nthat these parameters configure, such as self-deletion and data exfiltration rate. \r\nThis indicates that StealBit has been undergoing improvement with new features, especially evasion and hiding\r\nfeatures. Another major difference is that relatively older samples do not execute on systems located in the former\r\nSoviet countries of Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan,\r\nTurkmenistan, Uzbekistan, and Moldova. StealBit determines the location of a compromised system based on the\r\nsystem’s default language. Relatively newer samples do not implement this restriction and execute on any system. \r\nDetection and Prevention of StealBit Malware\r\nCybereason XDR Platform\r\nThe Cybereason XDR Platform detects and stops StealBit when the malware exfiltrates data, using multi-layer\r\nprotection that employs threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities to detect\r\nand block malware. The Cybereason platform also detects malicious actors that execute the related LockBit\r\nransomware:\r\nThe Cybereason XDR Platform detects StealBit based on threat intelligence\r\nCybereason GSOC MDR\r\nCybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature on the Cybereason NGAV, and enable the Detect and Prevent\r\nmodes of this feature.\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 21 of 25\n\nRegularly monitor outgoing network traffic for data exfiltration activities.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom\r\nhunting queries for detecting specific threats - to find out more about threat hunting and Managed\r\nDetection and Response with the Cybereason Defense Platform, contact a Cybereason Defender\r\nhere.\r\nFor Cybereason customers: More details available on the NEST including custom threat\r\nhunting queries for detecting this threat.\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection\r\nand Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an\r\noperation-centric approach to security.\r\nIndicators of Compromise for StealBit Malware\r\nExecutables\r\nSHA-256 hash: 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d\r\nSHA-256 hash:\r\n107d9fce05ff8296d0417a5a830d180cd46aa120ced8360df3ebfd15cb550636\r\nSHA-256 hash: \r\n6c9a92955402c76ab380aa6927ad96515982a47c05d54f21d67603814d29e4a5\r\nSHA-256 hash: \r\n6b9aa479a5f9c6bfee52046c1afa579977dfcde868fdad3f18fdcd1779535068\r\nNamed pipe\r\nfiles\r\nSTEALBIT-MASTER-PIPE\r\nIP addresses\r\n88.80.147[.]102\r\n168.100.11[.]72\r\n139.60.160[.]200\r\n193.38.235[.]234\r\n174.138.62[.]35\r\n93.190.139[.]223\r\n185.182.193[.]120\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 22 of 25\n\nMITRE ATT\u0026CK Techniques for StealBit Malware\r\nExecution Privilege Escalation Defense Evasion Discovery Exfiltration\r\nNative API\r\nAbuse Elevation Control\r\nMechanism: Bypass\r\nUser Account Control\r\nIndicator Removal\r\non Host: File\r\nDeletion\r\nFile and\r\nDirectory\r\nDiscovery\r\nData Transfer\r\nSize Limits\r\nInter-Process\r\nCommunication\r\n \r\nObfuscated Files\r\nor Information\r\nSystem\r\nInformation\r\nDiscovery\r\nExfiltration\r\nOver C2\r\nChannel\r\n   \r\nHide Artifacts:\r\nHidden Window\r\nSystem\r\nLocation\r\nDiscovery\r\n \r\nAbout the Researchers:\r\nAleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason\r\nGlobal SOC\r\nAleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is\r\ninvolved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security.\r\nFor his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the\r\nBavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work\r\nfocused on research in intrusion detection and reverse engineering security mechanisms of the Windows 10\r\noperating system.\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 23 of 25\n\nKotaro Ogino, Security Analyst, Cybereason Global SOC\r\nKotaro Ogino is a Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting,\r\nadministration of Security Orchestration, Automation, and Response (SOAR) systems, and Extended Detection\r\nand Response (XDR). Kotaro has a bachelor of science degree in information and computer science.\r\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 24 of 25\n\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nhttps://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool"
	],
	"report_names": [
		"threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775433972,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af87eead788e5f28e7f9c14189bcf1e32f7ea177.pdf",
		"text": "https://archive.orkl.eu/af87eead788e5f28e7f9c14189bcf1e32f7ea177.txt",
		"img": "https://archive.orkl.eu/af87eead788e5f28e7f9c14189bcf1e32f7ea177.jpg"
	}
}