MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WastedLocker

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
SHA3-384 hash:	43ccf95bfac8339ed7fa238427bf347d37381ec40102f2ff23ae7036f77a75ff6da58162ba2c34fd669635d0498f1b8d
SHA1 hash:	be59c867da75e2a66b8c2519e950254f817cd4ad
MD5 hash:	ecb00e9a61f99a7d4c90723294986bbc
humanhash:	solar-ten-nevada-georgia
File name:	8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
Download:	download sample
Signature	WastedLocker Create hunting rule
File size:	57'344 bytes
First seen:	2020-06-25 05:30:11 UTC
Last seen:	2020-11-03 14:20:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1260a496bc397af35f74ffa2765fea29 (1 x WastedLocker)
ssdeep	1536:d2SYM6dDF+WO8Rh51yXjk2JqdT8LONUeCSC0eWNF:dLYndDg8v51cZoHNF
Threatray	21 similar samples on MalwareBazaar
TLSH	3B438D86B91CD073EE9006727E33AFA0C3E92C21226DA34773506C51E955DEAE327E17
Reporter	abuse_ch
Tags:	exe Ransomware WastedLocker

Intelligence

File Origin

# of uploads :

4

# of downloads :

1'909

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13901/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.31904.6629.6492.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Launching a process

Creating a service

Launching a service

Changing a file

Creating a file

Deleting a recently created file

Running batch commands

Deleting volume shadow copies

Enabling autorun for a service

Creating a file in the mass storage device

Encrypting user's files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80/

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcl5xb3fkp4ufmxliac7qr22emv27obkkdfhoyngegcc5ckkhwaa._file

Verdict:

suspicious

Similar samples:

0232fe4b3256a6a4700de482e5e9074baf4548d7604cf4404182be73353ee32f

0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3

f21872a03fcb62dbac5cd7ea2c92db4595f4a55906d7a91ffa6ce5cae2b84e91

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

ransomware persistence discovery exploit

Link:

https://tria.ge/reports/200625-8esde312g6/

Behaviour

Views/modifies file attributes

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Modifies service

Drops file in System32 directory

Deletes itself

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Possible privilege escalation attempt

Deletes shadow copies

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/amp/

X

https://twitter.com/JAMESWT_MHT/status/1275877892417863682

Cape

Cape

https://www.capesandbox.com/analysis/13901/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample