SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wastedloader (Back to overview)

WastedLoader


This malware looks similar to WastedLocker, but the ransomware component is missing.

References
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2021-05-18BitdefenderMihai Neagu, Bogdan Botezatu, George Mihali, Aron Radu, Ștefan Trifescu
@techreport{neagu:20210518:new:52eb07f, author = {Mihai Neagu and Bogdan Botezatu and George Mihali and Aron Radu and Ștefan Trifescu}, title = {{New WastedLoader Campaign Delivered Through RIG Exploit Kit}}, date = {2021-05-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf}, language = {English}, urldate = {2021-05-19} } New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker
Yara Rules
[TLP:WHITE] win_wastedloader_auto (20230715 | Detects win.wastedloader.)
rule win_wastedloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.wastedloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d1fe bb3c7bfba0 e106 85a7f7c88baa }
            // n = 4, score = 100
            //   d1fe                 | sar                 esi, 1
            //   bb3c7bfba0           | mov                 ebx, 0xa0fb7b3c
            //   e106                 | loope               8
            //   85a7f7c88baa         | test                dword ptr [edi - 0x55743709], esp

        $sequence_1 = { d2eb 7ba5 01acff3d3bfc6d e78b ec f6d8 }
            // n = 6, score = 100
            //   d2eb                 | shr                 bl, cl
            //   7ba5                 | jnp                 0xffffffa7
            //   01acff3d3bfc6d       | add                 dword ptr [edi + edi*8 + 0x6dfc3b3d], ebp
            //   e78b                 | out                 0x8b, eax
            //   ec                   | in                  al, dx
            //   f6d8                 | neg                 al

        $sequence_2 = { d193e13e7876 02dd ae 687b90c2e9 }
            // n = 4, score = 100
            //   d193e13e7876         | rcl                 dword ptr [ebx + 0x76783ee1], 1
            //   02dd                 | add                 bl, ch
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   687b90c2e9           | push                0xe9c2907b

        $sequence_3 = { af f6ff 8bef 69f2c46ff7ff }
            // n = 4, score = 100
            //   af                   | scasd               eax, dword ptr es:[edi]
            //   f6ff                 | idiv                bh
            //   8bef                 | mov                 ebp, edi
            //   69f2c46ff7ff         | imul                esi, edx, 0xfff76fc4

        $sequence_4 = { 0fb75114 83ea54 8b45f8 66895014 }
            // n = 4, score = 100
            //   0fb75114             | movzx               edx, word ptr [ecx + 0x14]
            //   83ea54               | sub                 edx, 0x54
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   66895014             | mov                 word ptr [eax + 0x14], dx

        $sequence_5 = { 44 40 0433 381b }
            // n = 4, score = 100
            //   44                   | inc                 esp
            //   40                   | inc                 eax
            //   0433                 | add                 al, 0x33
            //   381b                 | cmp                 byte ptr [ebx], bl

        $sequence_6 = { 8b55f8 66894a10 8b45f8 0fb74810 83e954 }
            // n = 5, score = 100
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   66894a10             | mov                 word ptr [edx + 0x10], cx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb74810             | movzx               ecx, word ptr [eax + 0x10]
            //   83e954               | sub                 ecx, 0x54

        $sequence_7 = { 66894118 8b55f8 0fb74218 83e854 8b4df8 66894118 ba8d000000 }
            // n = 7, score = 100
            //   66894118             | mov                 word ptr [ecx + 0x18], ax
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   0fb74218             | movzx               eax, word ptr [edx + 0x18]
            //   83e854               | sub                 eax, 0x54
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   66894118             | mov                 word ptr [ecx + 0x18], ax
            //   ba8d000000           | mov                 edx, 0x8d

        $sequence_8 = { 2cbe 832061 5b 5b }
            // n = 4, score = 100
            //   2cbe                 | sub                 al, 0xbe
            //   832061               | and                 dword ptr [eax], 0x61
            //   5b                   | pop                 ebx
            //   5b                   | pop                 ebx

        $sequence_9 = { 60 87cf 009c6ade5a5d02 46 89547ffe }
            // n = 5, score = 100
            //   60                   | pushal              
            //   87cf                 | xchg                edi, ecx
            //   009c6ade5a5d02       | add                 byte ptr [edx + ebp*2 + 0x25d5ade], bl
            //   46                   | inc                 esi
            //   89547ffe             | mov                 dword ptr [edi + edi*2 - 2], edx

    condition:
        7 of them and filesize < 2677760
}
Download all Yara Rules