MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WastedLocker


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA3-384 hash: ba717cb268b3a0e29f7412e0171459dacfe73268dae71d16f4c864f731085b92e81b2e2b8fa03c3413eb203fcb873102
SHA1 hash: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
MD5 hash: 2cc4534b0dd0e1c8d5b89644274a10c1
humanhash: eighteen-hydrogen-helium-orange
File name:Interfaces.bin
Download: download sample
Signature WastedLocker
Create hunting rule
File size:1'252'752 bytes
First seen:2020-07-26 07:44:24 UTC
Last seen:2020-07-29 07:11:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09c4d73af3796a3e85e763e475143c5d (1 x WastedLocker)
ssdeep 3072:YbbuRdAcgqu4c61lVJLfrfYEV3g+5Up48:YbyRdlvTfLfrfYE3g+4
Threatray 103 similar samples on MalwareBazaar
TLSH 2245E012A6930C07CFA50A3985E771697D310B75BB7D8B91F861B290420A2F70BF5BDE
Reporter JAMESWT_WT
Tags:WastedLocker

Code Signing Certificate

Organisation:OTRBXJVNJJOIXXBVFO
Issuer:OTRBXJVNJJOIXXBVFO
Algorithm:sha1WithRSA
Valid from:Jul 17 11:55:06 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 397DA7D77DACEBAC4258FBAD4D67AA85
Thumbprint Algorithm:SHA256
Thumbprint: 6AA5B635C2B3A06E17498958B6120CC815D76E32CF1A0D9328DC263B4A0C32B6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'914
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32594/
Detection(s):
PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a process
Creating a service
Launching a service
Changing a file
Creating a file
Deleting a recently created file
Running batch commands
Deleting volume shadow copies
Enabling autorun for a service
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/398045
Signature
Binary contains a suspicious time stamp
Creates files in alternative data streams (ADS)
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251201 Sample: Interfaces.bin Startdate: 26/07/2020 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for submitted file 2->71 73 May disable shadow drive data (uses vssadmin) 2->73 75 Machine Learning detection for sample 2->75 77 4 other signatures 2->77 8 Interfaces.exe 2 2->8         started        12 Glob.exe 143 2->12         started        14 svchost.exe 2->14         started        16 VSSVC.exe 2->16         started        process3 file4 59 C:\Users\user\AppData\Roamingbehaviorgraphlob:bin, PE32 8->59 dropped 61 C:\Users\user\AppData\Roamingbehaviorgraphlob, PE32 8->61 dropped 89 Detected unpacking (changes PE section rights) 8->89 91 Detected unpacking (overwrites its own PE header) 8->91 93 Creates files in alternative data streams (ADS) 8->93 18 Glob:bin 1 8->18         started        22 cmd.exe 1 8->22         started        63 C:\...\MXPXCVPDVN.xlsx.garminwasted_info, COM 12->63 dropped 65 C:\...\CURQNKVOIX.docx.garminwasted_info, DOS 12->65 dropped 67 C:\...\ZTGJILHXQB.docx.garminwasted_info, WE32000 12->67 dropped 69 2 other files (none is malicious) 12->69 dropped 95 Multi AV Scanner detection for dropped file 12->95 97 Modifies existing user documents (likely ransomware behavior) 12->97 24 cmd.exe 1 12->24         started        signatures5 process6 file7 57 C:\Windows\SysWOW64behaviorgraphlob.exe, PE32 18->57 dropped 79 Multi AV Scanner detection for dropped file 18->79 81 Detected unpacking (changes PE section rights) 18->81 83 Detected unpacking (overwrites its own PE header) 18->83 87 2 other signatures 18->87 26 cmd.exe 1 18->26         started        29 vssadmin.exe 1 18->29         started        31 takeown.exe 1 18->31         started        33 icacls.exe 1 18->33         started        85 Uses cmd line tools excessively to alter registry or file data 22->85 35 conhost.exe 22->35         started        43 2 other processes 22->43 37 conhost.exe 24->37         started        39 choice.exe 1 24->39         started        41 attrib.exe 1 24->41         started        signatures8 process9 signatures10 99 Uses cmd line tools excessively to alter registry or file data 26->99 45 conhost.exe 26->45         started        47 choice.exe 1 26->47         started        49 attrib.exe 1 26->49         started        51 conhost.exe 29->51         started        53 conhost.exe 31->53         started        55 conhost.exe 33->55         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a/
Threat name:
Win32.Ransomware.WastedLocker
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 05:39:26 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbpkcgnnru7fjtjcrrcyug2wqgv4d42566bjo6rdqexmj35afcfa._file
Verdict:
malicious
Similar samples:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
WastedLocker
34ea4b1bf96a120fd6f9969babeae255483e42a496cdba637c6ef1f44c2b4287
WastedLocker
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
WastedLocker
66c6414f4a169a4ca29b2952c76eca04c90add82afaa5410c8f447e39481853a
WastedLocker
887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
WastedLocker
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
WastedLocker
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
WastedLocker
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
WastedLocker
e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
WastedLocker
ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
WastedLocker
+ 93 additional samples on MalwareBazaar
Result
Malware family:
wastedlocker
Create hunting rule
Score:
  10/10
Tags:
persistence discovery exploit ransomware family:wastedlocker
Link:
https://tria.ge/reports/200726-jgqm86w26x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
NTFS ADS
Views/modifies file attributes
Modifies service
Drops file in System32 directory
Modifies file permissions
Loads dropped DLL
Deletes itself
Possible privilege escalation attempt
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
WastedLocker
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32594/

Comments