WastedLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.wastedloader (Back to overview)
WastedLoader

VTCollection
This malware looks similar to WastedLocker, but the ransomware component is missing.
References

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2021-05-18 ⋅ Bitdefender ⋅ Aron Radu, Bogdan Botezatu, George Mihali, Mihai Neagu, Ștefan Trifescu
New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker
Yara Rules

[TLP:WHITE] win_wastedloader_auto (20260504 | Detects win.wastedloader.)
rule win_wastedloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.wastedloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4df8 0fb75156 83ea54 8b45f8 66895056 b9b8000000 }
            // n = 6, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   0fb75156             | movzx               edx, word ptr [ecx + 0x56]
            //   83ea54               | sub                 edx, 0x54
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   66895056             | mov                 word ptr [eax + 0x56], dx
            //   b9b8000000           | mov                 ecx, 0xb8

        $sequence_1 = { e74d b980344b51 7385 20e1 }
            // n = 4, score = 100
            //   e74d                 | out                 0x4d, eax
            //   b980344b51           | mov                 ecx, 0x514b3480
            //   7385                 | jae                 0xffffff87
            //   20e1                 | and                 cl, ah

        $sequence_2 = { 1008 a6 660f1b09 0000 a7 7280 011cfd80edc199 }
            // n = 7, score = 100
            //   1008                 | adc                 byte ptr [eax], cl
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   660f1b09             | nop                 word ptr [ecx]
            //   0000                 | add                 byte ptr [eax], al
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   7280                 | jb                  0xffffff82
            //   011cfd80edc199       | add                 dword ptr [edi*8 - 0x663e1280], ebx

        $sequence_3 = { 04ee 1dd1704c64 0ffda4e83d005d04 008b4c81d274 }
            // n = 4, score = 100
            //   04ee                 | add                 al, 0xee
            //   1dd1704c64           | sbb                 eax, 0x644c70d1
            //   0ffda4e83d005d04     | paddw               mm4, qword ptr [eax + ebp*8 + 0x45d003d]
            //   008b4c81d274         | add                 byte ptr [ebx + 0x74d2814c], cl

        $sequence_4 = { 98 fc b54c 90 b182 7c80 }
            // n = 6, score = 100
            //   98                   | cwde                
            //   fc                   | cld                 
            //   b54c                 | mov                 ch, 0x4c
            //   90                   | nop                 
            //   b182                 | mov                 cl, 0x82
            //   7c80                 | jl                  0xffffff82

        $sequence_5 = { 6a3b 11c2 855cb412 8bb8181480c8 1808 007056 8b4c00f9 }
            // n = 7, score = 100
            //   6a3b                 | push                0x3b
            //   11c2                 | adc                 edx, eax
            //   855cb412             | test                dword ptr [esp + esi*4 + 0x12], ebx
            //   8bb8181480c8         | mov                 edi, dword ptr [eax - 0x377febe8]
            //   1808                 | sbb                 byte ptr [eax], cl
            //   007056               | add                 byte ptr [eax + 0x56], dh
            //   8b4c00f9             | mov                 ecx, dword ptr [eax + eax - 7]

        $sequence_6 = { 037fc1 00e4 1ac7 7240 ad 58 2448 }
            // n = 7, score = 100
            //   037fc1               | add                 edi, dword ptr [edi - 0x3f]
            //   00e4                 | add                 ah, ah
            //   1ac7                 | sbb                 al, bh
            //   7240                 | jb                  0x42
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   58                   | pop                 eax
            //   2448                 | and                 al, 0x48

        $sequence_7 = { 6ac1 8b700b 2c85 a5 5b df8bd2687320 ef }
            // n = 7, score = 100
            //   6ac1                 | push                -0x3f
            //   8b700b               | mov                 esi, dword ptr [eax + 0xb]
            //   2c85                 | sub                 al, 0x85
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   5b                   | pop                 ebx
            //   df8bd2687320         | fisttp              word ptr [ebx + 0x207368d2]
            //   ef                   | out                 dx, eax

        $sequence_8 = { 2430 8b1c24 a1???????? b6f6 ff4565 f9 }
            // n = 6, score = 100
            //   2430                 | and                 al, 0x30
            //   8b1c24               | mov                 ebx, dword ptr [esp]
            //   a1????????           |                     
            //   b6f6                 | mov                 dh, 0xf6
            //   ff4565               | inc                 dword ptr [ebp + 0x65]
            //   f9                   | stc                 

        $sequence_9 = { 1c34 83f4f0 0d844de3fd ff959ef9ff7b f34a 24f0 801abd }
            // n = 7, score = 100
            //   1c34                 | sbb                 al, 0x34
            //   83f4f0               | xor                 esp, 0xfffffff0
            //   0d844de3fd           | or                  eax, 0xfde34d84
            //   ff959ef9ff7b         | call                dword ptr [ebp + 0x7bfff99e]
            //   f34a                 | dec                 edx
            //   24f0                 | and                 al, 0xf0
            //   801abd               | sbb                 byte ptr [edx], 0xbd

    condition:
        7 of them and filesize < 2677760
}
Download all Yara Rules
WastedLoader Propose Change

References

Yara Rules

WastedLoader
