SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wastedloader (Back to overview)

WastedLoader


This malware looks similar to WastedLocker, but the ransomware component is missing.

References
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2021-05-18BitdefenderMihai Neagu, Bogdan Botezatu, George Mihali, Aron Radu, Ștefan Trifescu
@techreport{neagu:20210518:new:52eb07f, author = {Mihai Neagu and Bogdan Botezatu and George Mihali and Aron Radu and Ștefan Trifescu}, title = {{New WastedLoader Campaign Delivered Through RIG Exploit Kit}}, date = {2021-05-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf}, language = {English}, urldate = {2021-05-19} } New WastedLoader Campaign Delivered Through RIG Exploit Kit
WastedLoader WastedLocker
Yara Rules
[TLP:WHITE] win_wastedloader_auto (20230125 | Detects win.wastedloader.)
rule win_wastedloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.wastedloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4a fa 6c fb 90 53 51 }
            // n = 7, score = 100
            //   4a                   | dec                 edx
            //   fa                   | cli                 
            //   6c                   | insb                byte ptr es:[edi], dx
            //   fb                   | sti                 
            //   90                   | nop                 
            //   53                   | push                ebx
            //   51                   | push                ecx

        $sequence_1 = { fb ff4b77 6f 2575402018 }
            // n = 4, score = 100
            //   fb                   | sti                 
            //   ff4b77               | dec                 dword ptr [ebx + 0x77]
            //   6f                   | outsd               dx, dword ptr [esi]
            //   2575402018           | and                 eax, 0x18204075

        $sequence_2 = { e8???????? 83c408 837dfc00 7412 681e230000 681e230000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7412                 | je                  0x14
            //   681e230000           | push                0x231e
            //   681e230000           | push                0x231e
            //   e8????????           |                     

        $sequence_3 = { 243f 0000 ac 884d01 1f fd 3a0f }
            // n = 7, score = 100
            //   243f                 | and                 al, 0x3f
            //   0000                 | add                 byte ptr [eax], al
            //   ac                   | lodsb               al, byte ptr [esi]
            //   884d01               | mov                 byte ptr [ebp + 1], cl
            //   1f                   | pop                 ds
            //   fd                   | std                 
            //   3a0f                 | cmp                 cl, byte ptr [edi]

        $sequence_4 = { a3???????? 813d????????d6d4b000 7308 ff15???????? ebdf }
            // n = 5, score = 100
            //   a3????????           |                     
            //   813d????????d6d4b000     |     
            //   7308                 | jae                 0xa
            //   ff15????????         |                     
            //   ebdf                 | jmp                 0xffffffe1

        $sequence_5 = { 8b45f8 66895014 b9b6000000 8b55f8 66894a16 8b45f8 }
            // n = 6, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   66895014             | mov                 word ptr [eax + 0x14], dx
            //   b9b6000000           | mov                 ecx, 0xb6
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   66894a16             | mov                 word ptr [edx + 0x16], cx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_6 = { 8bf0 0335???????? 68e0110000 ff15???????? 8bf8 033d???????? }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   0335????????         |                     
            //   68e0110000           | push                0x11e0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   033d????????         |                     

        $sequence_7 = { a7 b4f3 de9fc3038352 04f3 de00 750d }
            // n = 6, score = 100
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   b4f3                 | mov                 ah, 0xf3
            //   de9fc3038352         | ficomp              word ptr [edi + 0x528303c3]
            //   04f3                 | add                 al, 0xf3
            //   de00                 | fiadd               word ptr [eax]
            //   750d                 | jne                 0xf

        $sequence_8 = { 1f bf1783d911 7ce9 52 2b1c44 }
            // n = 5, score = 100
            //   1f                   | pop                 ds
            //   bf1783d911           | mov                 edi, 0x11d98317
            //   7ce9                 | jl                  0xffffffeb
            //   52                   | push                edx
            //   2b1c44               | sub                 ebx, dword ptr [esp + eax*2]

        $sequence_9 = { 83c201 8915???????? eb86 5f 5e }
            // n = 5, score = 100
            //   83c201               | add                 edx, 1
            //   8915????????         |                     
            //   eb86                 | jmp                 0xffffff88
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 2677760
}
Download all Yara Rules