MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WastedLocker

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA3-384 hash:	f9a1e41e6b9a206986132933da47ad33734c8623feb2fb50081606e1d4c1747bae5400dfce67b1b422271906a6b04222
SHA1 hash:	9292fa66c917bfa47e8012d302a69bec48e9b98c
MD5 hash:	edbf07eaca4fff5f2d3f045567a9dc6f
humanhash:	utah-black-neptune-may
File name:	ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
Download:	download sample
Signature	WastedLocker Create hunting rule
File size:	974'224 bytes
First seen:	2020-06-25 05:29:03 UTC
Last seen:	2020-06-25 06:40:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4bb6b9b596884a0c90778c39e2bd91ba (1 x WastedLocker)
ssdeep	3072:SLu8kCHp4EYPZE5CIv4Nc4GiM9vAZTponZNLQuHmmYxpwbvANK:38Z2E5biM9MTKnXLQuHmmaQvaK
Threatray	268 similar samples on MalwareBazaar
TLSH	4925BE52A697CCC5FC271470C91B8EF807E2FE46AF491B8B55C0BD7ABD307882B25661
Reporter	abuse_ch
Tags:	exe Ransomware WastedLocker

Code Signing Certificate

Organisation:	YZCKUEONYQSURZWORG
Issuer:	YZCKUEONYQSURZWORG
Algorithm:	sha1WithRSA
Valid from:	Jun 2 21:50:04 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	-483E5B3B977F126CB1073EF45D0492B2
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:
Thumbprint:
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

1'941

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13898/

Detection(s):

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Launching a process

Creating a service

Launching a service

Changing a file

Creating a file

Deleting a recently created file

Running batch commands

Deleting volume shadow copies

Enabling autorun for a service

Creating a file in the mass storage device

Encrypting user's files

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3/

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5uddflfsm2soyp2r3wadzabfxtgwktstyzhlme7capczbclqpgzq._file

Verdict:

suspicious

Similar samples:

0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d

8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

9486d93dedcb4e1eabc7ab1c778b01459f8afc13aba9d3017e20003c22476100

aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0

e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb

+ 258 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

ransomware persistence discovery exploit

Link:

https://tria.ge/reports/200625-xry39vdk4a/

Behaviour

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Views/modifies file attributes

Modifies service

Drops file in System32 directory

Modifies file permissions

Loads dropped DLL

Deletes itself

Possible privilege escalation attempt

Executes dropped EXE

Deletes shadow copies

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/JAMESWT_MHT/status/1275877892417863682

Link

https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/amp/

Cape

Cape

https://www.capesandbox.com/analysis/13898/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample