1. Home
  2. Software
  3. StealBit

StealBit

StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.[1][2]

ID: S1200
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 29 January 2025
Last Modified: 29 January 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

StealBit can use HTTP to exfiltrate files to actor-controlled infrastructure.[2][1]
Enterprise T1005 Data from Local System

StealBit can upload data and files to the LockBit victim-shaming site.[2][1]
Enterprise T1030 Data Transfer Size Limits

StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.[1]
Enterprise T1622 Debugger Evasion

StealBit can detect it is being run in the context of a debugger.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

StealBit can deobfuscate loaded modules prior to execution.[2][1]
Enterprise T1480 Execution Guardrails

StealBit will execute an empty infinite loop if it detects it is being run in the context of a debugger.[1]
Enterprise T1083 File and Directory Discovery

StealBit can be configured to exfiltrate specific file types.[2][1]
Enterprise T1562 .006 Impair Defenses: Indicator Blocking

StealBit can configure processes to not display certain Windows error messages by through use of the NtSetInformationProcess.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

StealBit can self-delete its executable file from the compromised system.[1][2]
Enterprise T1559 Inter-Process Communication

StealBit can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner.[1]
Enterprise T1106 Native API

StealBit can use native APIs including LoadLibraryExA for execution and NtSetInformationProcess for defense evasion purposes.[1]
Enterprise T1095 Non-Application Layer Protocol

StealBit can use the Windows Socket networking library to communicate with attacker-controlled endpoints.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

StealBit stores obfuscated DLL file names in its executable.[1]
Enterprise T1082 System Information Discovery

StealBit can enumerate the computer name and domain membership of the compromised system.[1]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

StealBit can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.[1]

References

  1. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  1. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.