MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WastedLocker

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
SHA3-384 hash:	1145dde4722370eb4a25b4cb0e11d5d3a3fedcbdfe21912397b012664aa8e6b6a9745998b3a097c4123531e68cfd82d4
SHA1 hash:	f25f0b369a355f30f5e11ac11a7f644bcfefd963
MD5 hash:	13e623cdfb75d99ea7e04c6157ca8ae6
humanhash:	kilo-edward-kilo-equal
File name:	aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
Download:	download sample
Signature	WastedLocker Create hunting rule
File size:	1'127'312 bytes
First seen:	2020-06-26 10:25:27 UTC
Last seen:	2020-07-26 07:43:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b19e07ce05976bb65fe74f20f79adcdb (1 x WastedLocker)
ssdeep	1536:LqRaSoNRhXeFFIEuz29JfZsIzYJerJ0+B4jPOnXYY8ZCHPcXz4HE7bhjYWLc:LqRa/fhGFIZyJfZsqCK62rTPoEkxjc
Threatray	286 similar samples on MalwareBazaar
TLSH	31359D23A45CAEE9F89F06B49D940CF1A3C16C92D926067F31FD7FD167B0E038916896
Reporter	JAMESWT_WT
Tags:	Ransomware WastedLocker

Code Signing Certificate

Organisation:	SCSTXPBIMRJPFWKHAA
Issuer:	SCSTXPBIMRJPFWKHAA
Algorithm:	sha1WithRSA
Valid from:	May 23 19:51:28 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	365F7CABE78BE8BD47FF30C6A9362951
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	32F9AE0025EEDF567D39633E6F4274E494A3B6329458B27F33AA7795177A91D8
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

3

# of downloads :

1'946

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/14843/

Detection(s):

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Launching a process

Creating a service

Launching a service

Changing a file

Creating a file

Deleting a recently created file

Running batch commands

Deleting volume shadow copies

Enabling autorun for a service

Creating a file in the mass storage device

Encrypting user's files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772/

Threat name:

Win32.Ransomware.Wasted

Status:

Malicious

First seen:

2020-06-26 02:10:54 UTC

File Type:

PE (Exe)

Extracted files:

25

AV detection:

42 of 48 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vic6pimh3xwc4ep4dspk7zqubdiilmflntiszlvpkmoj3sqss5za._file

Verdict:

suspicious

Similar samples:

0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

9486d93dedcb4e1eabc7ab1c778b01459f8afc13aba9d3017e20003c22476100

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3

+ 276 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

exploit ransomware persistence discovery

Link:

https://tria.ge/reports/200626-6vycgje9q6/

Behaviour

Interacts with shadow copies

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Drops file in System32 directory

Modifies service

Modifies file permissions

Loads dropped DLL

Deletes itself

Executes dropped EXE

Possible privilege escalation attempt

Deletes shadow copies

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/14843/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample