MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WastedLocker

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA3-384 hash:	83c0ec8f1d859ac6a637dc9c40b3837f9aca7d873923d1a41b0a68b5f453712a85cdd1b6f2afdf895968e3c0a970606e
SHA1 hash:	91b2bf44b1f9282c09f07f16631deaa3ad9d956d
MD5 hash:	572fea5f025df78f2d316216fbeee52e
humanhash:	speaker-may-king-north
File name:	5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
Download:	download sample
Signature	WastedLocker Create hunting rule
File size:	1'076'112 bytes
First seen:	2020-06-25 05:30:47 UTC
Last seen:	2020-06-25 06:40:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	227c7a3a12a7d92ffc2eaa1a92fda3d6 (1 x WastedLocker)
ssdeep	1536:oqRaSoNRhXeFFIEuz29JfZsIzYJerU+zjqFeKUO1z1gZCHW8LiLrXz4HE7bhj5Bs:oqRa/fhGFIZyJfZsqCGez5W1Ekxj5+
Threatray	281 similar samples on MalwareBazaar
TLSH	65357C63A05CAEC4F82F56B08C880DF5A3C6BD93D9600B7731F4BFAA67B5E024716855
Reporter	abuse_ch
Tags:	exe Ransomware WastedLocker

Code Signing Certificate

Organisation:	YZCKUEONYQSURZWORG
Issuer:	YZCKUEONYQSURZWORG
Algorithm:	sha1WithRSA
Valid from:	Jun 2 21:50:04 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	-483E5B3B977F126CB1073EF45D0492B2
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:
Thumbprint:
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

1'965

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13904/

Detection(s):

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Launching a process

Creating a service

Launching a service

Changing a file

Creating a file

Deleting a recently created file

Running batch commands

Deleting volume shadow copies

Enabling autorun for a service

Creating a file in the mass storage device

Encrypting user's files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367/

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ltieqbpzou6kbc4c5cgcpp2ue3i5gvv3e2zidccvomcrasercntq._file

Verdict:

suspicious

Similar samples:

0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

9486d93dedcb4e1eabc7ab1c778b01459f8afc13aba9d3017e20003c22476100

aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3

+ 271 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

ransomware persistence discovery exploit

Link:

https://tria.ge/reports/200625-a7f1nq69h6/

Behaviour

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Views/modifies file attributes

Modifies service

Drops file in System32 directory

Modifies file permissions

Loads dropped DLL

Deletes itself

Possible privilege escalation attempt

Executes dropped EXE

Deletes shadow copies

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/amp/

X

https://twitter.com/JAMESWT_MHT/status/1275877892417863682

Cape

Cape

https://www.capesandbox.com/analysis/13904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample