WastedLoader or DridexLoader? By Jason Reaves Published: 2021-05-31 · Archived: 2026-04-05 21:59:05 UTC 3 min read May 31, 2021 By: Jason Reaves and Joshua Platt Press enter or click to view image in full size Recent BitDefender wrote up a very detailed report on a loader that shares similarities with WastedLocker being delivered via RIG exploit kit[1]. At the time I was researching Dridex chains and since WastedLocker has code similarities with Dridex[2] and being leveraged by EvilCorp[2,3,4,5,6] I took a quick look at the hashes from the report. Of the hashes from the report only 1 seems publicly available, 6ee2138d5467da398e02afe2baea9fbe. In the BitDefender report they reference an overlap with WastedLocker in what they label as ‘layer1’, this is actually the crypter layer meaning if the crypter is private to one group then the overlap will show up in known malware associated with this group. https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77 Page 1 of 4 Crypter Registry Check After unpacking the malware we are left with a sample that lines with the BitDefender report but some of the characteristics also line up with other the other malware families associated with this group such as the love of hiding RC4 encrypted strings using a 40 byte key that is reversed which is also used by Dridex and DoppelPaymer. Copy key and reverse it https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77 Page 2 of 4 RC4 After beginning to decode some of the strings I started to notice that itlooks more and more like a Dridex Loader. Small snippet of decoded strings below: Starting path: ShellFolder v0vajEOvEWKQf2dajlupVdyIEZlAQX1T7H994Q;HJPM4qNHuqGU3XeDOkMccS1IZyjev70FCelRDHTXLJszFZqshgVlsiV27SrJbCO3LMap true true false true ROOT\CIMV2 SELECT * FROM Win32_Fan *.dll *.exe Program Manager Progman AdvApi32~PsApi~shlwapi~shell32~WinInet /run /tn "%ws" "%ws" /grant:r "%ws":F https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77 Page 3 of 4 \NTUSER.DAT winsxs x86_* amd64_* *.exe \Sessions\%d\BaseNamedObjects\ SOFTWARE/TrendMicro/Vizor\VizorUniclientLibrary.dllProductPath So I decided to check if the CAPE sandbox yara rule perhaps matches this unpacked sample as a Dridex Loader[7], I used the rule from the CAPE decoder and it hit on the unpacked sample. Along with the decoder being about to decode out the Dridex Loader config I believe it is safe to say this is the Dridex Loader, leaving one to guess whether the other two samples are also Dridex Loaders or not? {'C2': ['51.68.224.245:4646', '188.165.17.91:8443', '173.255.246.77:691'], 'RC4_Key': 'v0vajEOvEWKQf2dajlupVdy References 1:https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf Get Jason Reaves’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in 2:https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ 3:https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/ 4:https://home.treasury.gov/news/press-releases/sm845 5:https://www.bellingcat.com/news/uk-and-europe/2020/02/17/v-like-vympel-fsbs-secretive-department-v-behind-assassination-of-zelimkhan-khangoshvili/ 6:https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html 7:https://github.com/kevoreilly/CAPEv2/blob/1e66d2460276b28b45bea8123cc74daa83295f68/modules/processing/parsers/mwcp/DridexL Source: https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77 https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77 Page 4 of 4