{ "id": "20423465-3d74-410a-847c-0b4bcd26fba3", "created_at": "2026-04-06T00:21:24.013703Z", "updated_at": "2026-04-10T03:38:09.827953Z", "deleted_at": null, "sha1_hash": "5ceca9a2d28626d55901b3c49563549af3191413", "title": "WastedLoader or DridexLoader?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 941869, "plain_text": "WastedLoader or DridexLoader?\r\nBy Jason Reaves\r\nPublished: 2021-05-31 · Archived: 2026-04-05 21:59:05 UTC\r\n3 min read\r\nMay 31, 2021\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nRecent BitDefender wrote up a very detailed report on a loader that shares similarities with WastedLocker being delivered\r\nvia RIG exploit kit[1]. At the time I was researching Dridex chains and since WastedLocker has code similarities with\r\nDridex[2] and being leveraged by EvilCorp[2,3,4,5,6] I took a quick look at the hashes from the report.\r\nOf the hashes from the report only 1 seems publicly available, 6ee2138d5467da398e02afe2baea9fbe. In the BitDefender\r\nreport they reference an overlap with WastedLocker in what they label as ‘layer1’, this is actually the crypter layer meaning\r\nif the crypter is private to one group then the overlap will show up in known malware associated with this group.\r\nhttps://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77\r\nPage 1 of 4\n\nCrypter Registry Check\r\nAfter unpacking the malware we are left with a sample that lines with the BitDefender report but some of the characteristics\r\nalso line up with other the other malware families associated with this group such as the love of hiding RC4 encrypted\r\nstrings using a 40 byte key that is reversed which is also used by Dridex and DoppelPaymer.\r\nCopy key and reverse it\r\nhttps://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77\r\nPage 2 of 4\n\nRC4\r\nAfter beginning to decode some of the strings I started to notice that itlooks more and more like a Dridex Loader. Small\r\nsnippet of decoded strings below:\r\nStarting path:\r\nShellFolder\r\nv0vajEOvEWKQf2dajlupVdyIEZlAQX1T7H994Q;HJPM4qNHuqGU3XeDOkMccS1IZyjev70FCelRDHTXLJszFZqshgVlsiV27SrJbCO3LMap\r\n\u003cautoElevate\u003etrue\r\ntrue\r\nfalse\r\n\u003cTask xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\" version=\"1.3\"\u003e\u003cRegistrationInfo\u003e\r\n\u003c/RegistrationInfo\u003e\u003cTriggers\u003e\u003cLogonTrigger\u003e\u003cEnabled\u003etrue\u003c/Enabled\u003e\u003cUserId\u003e\r\nROOT\\CIMV2\r\nSELECT * FROM Win32_Fan\r\n*.dll\r\n*.exe\r\nProgram Manager\r\nProgman\r\nAdvApi32~PsApi~shlwapi~shell32~WinInet\r\n/run /tn \"%ws\"\r\n\"%ws\" /grant:r \"%ws\":F\r\nhttps://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77\r\nPage 3 of 4\n\n\\NTUSER.DAT\r\nwinsxs\r\nx86_*\r\namd64_*\r\n*.exe\r\n\\Sessions\\%d\\BaseNamedObjects\\\r\nSOFTWARE/TrendMicro/Vizor\\VizorUniclientLibrary.dllProductPath\r\nSo I decided to check if the CAPE sandbox yara rule perhaps matches this unpacked sample as a Dridex Loader[7], I used\r\nthe rule from the CAPE decoder and it hit on the unpacked sample. Along with the decoder being about to decode out the\r\nDridex Loader config I believe it is safe to say this is the Dridex Loader, leaving one to guess whether the other two samples\r\nare also Dridex Loaders or not?\r\n{'C2': ['51.68.224.245:4646', '188.165.17.91:8443', '173.255.246.77:691'], 'RC4_Key': 'v0vajEOvEWKQf2dajlupVdy\r\nReferences\r\n1:https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2:https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/\r\n3:https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/\r\n4:https://home.treasury.gov/news/press-releases/sm845\r\n5:https://www.bellingcat.com/news/uk-and-europe/2020/02/17/v-like-vympel-fsbs-secretive-department-v-behind-assassination-of-zelimkhan-khangoshvili/\r\n6:https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html\r\n7:https://github.com/kevoreilly/CAPEv2/blob/1e66d2460276b28b45bea8123cc74daa83295f68/modules/processing/parsers/mwcp/DridexL\r\nSource: https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77\r\nhttps://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77" ], "report_names": [ "wastedloader-or-dridexloader-4f47c9b3ae77" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434884, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ceca9a2d28626d55901b3c49563549af3191413.pdf", "text": "https://archive.orkl.eu/5ceca9a2d28626d55901b3c49563549af3191413.txt", "img": "https://archive.orkl.eu/5ceca9a2d28626d55901b3c49563549af3191413.jpg" } }