This malware looks similar to WastedLocker, but the ransomware component is missing.
rule win_wastedloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.wastedloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4a fa 6c fb 90 53 51 } // n = 7, score = 100 // 4a | dec edx // fa | cli // 6c | insb byte ptr es:[edi], dx // fb | sti // 90 | nop // 53 | push ebx // 51 | push ecx $sequence_1 = { fb ff4b77 6f 2575402018 } // n = 4, score = 100 // fb | sti // ff4b77 | dec dword ptr [ebx + 0x77] // 6f | outsd dx, dword ptr [esi] // 2575402018 | and eax, 0x18204075 $sequence_2 = { e8???????? 83c408 837dfc00 7412 681e230000 681e230000 e8???????? } // n = 7, score = 100 // e8???????? | // 83c408 | add esp, 8 // 837dfc00 | cmp dword ptr [ebp - 4], 0 // 7412 | je 0x14 // 681e230000 | push 0x231e // 681e230000 | push 0x231e // e8???????? | $sequence_3 = { 243f 0000 ac 884d01 1f fd 3a0f } // n = 7, score = 100 // 243f | and al, 0x3f // 0000 | add byte ptr [eax], al // ac | lodsb al, byte ptr [esi] // 884d01 | mov byte ptr [ebp + 1], cl // 1f | pop ds // fd | std // 3a0f | cmp cl, byte ptr [edi] $sequence_4 = { a3???????? 813d????????d6d4b000 7308 ff15???????? ebdf } // n = 5, score = 100 // a3???????? | // 813d????????d6d4b000 | // 7308 | jae 0xa // ff15???????? | // ebdf | jmp 0xffffffe1 $sequence_5 = { 8b45f8 66895014 b9b6000000 8b55f8 66894a16 8b45f8 } // n = 6, score = 100 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 66895014 | mov word ptr [eax + 0x14], dx // b9b6000000 | mov ecx, 0xb6 // 8b55f8 | mov edx, dword ptr [ebp - 8] // 66894a16 | mov word ptr [edx + 0x16], cx // 8b45f8 | mov eax, dword ptr [ebp - 8] $sequence_6 = { 8bf0 0335???????? 68e0110000 ff15???????? 8bf8 033d???????? } // n = 6, score = 100 // 8bf0 | mov esi, eax // 0335???????? | // 68e0110000 | push 0x11e0 // ff15???????? | // 8bf8 | mov edi, eax // 033d???????? | $sequence_7 = { a7 b4f3 de9fc3038352 04f3 de00 750d } // n = 6, score = 100 // a7 | cmpsd dword ptr [esi], dword ptr es:[edi] // b4f3 | mov ah, 0xf3 // de9fc3038352 | ficomp word ptr [edi + 0x528303c3] // 04f3 | add al, 0xf3 // de00 | fiadd word ptr [eax] // 750d | jne 0xf $sequence_8 = { 1f bf1783d911 7ce9 52 2b1c44 } // n = 5, score = 100 // 1f | pop ds // bf1783d911 | mov edi, 0x11d98317 // 7ce9 | jl 0xffffffeb // 52 | push edx // 2b1c44 | sub ebx, dword ptr [esp + eax*2] $sequence_9 = { 83c201 8915???????? eb86 5f 5e } // n = 5, score = 100 // 83c201 | add edx, 1 // 8915???????? | // eb86 | jmp 0xffffff88 // 5f | pop edi // 5e | pop esi condition: 7 of them and filesize < 2677760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY