MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WastedLocker

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA3-384 hash:	a06cf9204d6e700f32fc8fa6d7fdc0beae2c1e8ab68b4d46e1925e00b577d058c7816dc3c80ed1f6bf0625dd4200833e
SHA1 hash:	4fed7eae00bfa21938e49f33b7c6794fd7d0750c
MD5 hash:	0ed2ca539a01cdb86c88a9a1604b2005
humanhash:	october-gee-rugby-wyoming
File name:	bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
Download:	download sample
Signature	WastedLocker Create hunting rule
File size:	61'440 bytes
First seen:	2020-06-25 05:29:45 UTC
Last seen:	2020-11-03 14:20:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cc3abc4e0e3ee104d883385ee5cb0259 (4 x WastedLocker)
ssdeep	1536:HO88wNYmqdeBk7G7IhhqZKWVKz8NqUxVl2HihgOrT8avvvvvvvvvvvvvvvvvvvv:HOmhqdeBk+nc9OrTZvvvvvvvvvvvvvvX
Threatray	45 similar samples on MalwareBazaar
TLSH	68537EC5A59CD433EF7206B216337B91A3EA2C24136F734773719C95DA2448EE3A9A13
Reporter	abuse_ch
Tags:	exe Ransomware WastedLocker

Intelligence

File Origin

# of uploads :

4

# of downloads :

1'923

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13900/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.31951.24275.10382.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Launching a process

Creating a service

Launching a service

Changing a file

Creating a file

Deleting a recently created file

Running batch commands

Deleting volume shadow copies

Enabling autorun for a service

Creating a file in the mass storage device

Encrypting user's files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8/

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xtnmdivwpyvup6astaknzi5467kvibdvp2yj6hbrap2x3iyvh3ea._file

Verdict:

suspicious

Similar samples:

0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772

c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

ea03bddaf3ee776f78eb33a3ff355cc2ffdc9a610ab086d49f28dffce00d8c99

ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3

+ 35 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

persistence discovery exploit ransomware

Link:

https://tria.ge/reports/200625-ykwrj3nmz6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Views/modifies file attributes

NTFS ADS

Modifies service

Drops file in System32 directory

Modifies file permissions

Loads dropped DLL

Deletes itself

Possible privilege escalation attempt

Executes dropped EXE

Deletes shadow copies

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/JAMESWT_MHT/status/1275877892417863682

Link

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/amp/

Cape

Cape

https://www.capesandbox.com/analysis/13900/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample