MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Redeemer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4
SHA3-384 hash: 74fb8c16b3b36905793ec59499b517680a15b383552ef7515e76cac17f84f45fb079e50a368c63fd7b18c3f9251ec82b
SHA1 hash: 253cc7209fc3d0d681516402932789fb103c770e
MD5 hash: 43a488675595c22136d5b845f554ff6e
humanhash: washington-charlie-robert-kilo
File name:f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4
Download: download sample
Signature Redeemer
Create hunting rule
File size:3'361'792 bytes
First seen:2022-11-09 12:51:26 UTC
Last seen:2022-11-09 14:42:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f5333bcfcde7212e843a786d98753906 (2 x Redeemer, 1 x RustyStealer)
ssdeep 98304:DN4c4CUmp7OuHVcs91RMhzqP38DrK2E/UMgAO:DN3Eo7dHh9jMBqP3c23zgAO
Threatray 3 similar samples on MalwareBazaar
TLSH T19CF53355A79CDA01CFECC7B1CAA558868D6F409279FC074725CE9EF938DA2D421C2C2E
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter petikvx
Tags:Ransomware redeemer

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4
Verdict:
No threats detected
Analysis date:
2022-11-09 13:20:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1f01eef-5c96-4933-9325-460bd67d67e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331204/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.5975.29642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll trickbot
Link:
https://www.filescan.io/uploads/636ba2737662ecf1083972c7/reports/7d10fc99-53e4-419f-9109-0d8f27f40c39/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Redeemer Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/608379fc-4b3b-4594-bb22-77194b12276b
Result
Threat name:
Redeem
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109319
Signature
Clears the windows event log
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Redeem Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741997 Sample: 4djI1ZVk5a.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected Redeem Ransomware 2->60 62 2 other signatures 2->62 8 4djI1ZVk5a.exe 6 2->8         started        process3 dnsIp4 52 www.ipinfo.io 34.117.59.81, 443, 49696 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->52 54 lunar-reborn.cc 188.114.96.3, 443, 49697 CLOUDFLARENETUS European Union 8->54 42 C:\Users\user\AppData\Local\Temp\build.exe, PE32 8->42 dropped 66 May check the online IP address of the machine 8->66 68 Tries to harvest and steal browser information (history, passwords, etc) 8->68 13 build.exe 4 304 8->13         started        17 taskkill.exe 8->17         started        file5 signatures6 process7 file8 44 C:\Users\user\Downloads\Read Me.TXT, ASCII 13->44 dropped 46 C:\Users\user\Desktop\Read Me.TXT, ASCII 13->46 dropped 48 C:\Users\user\Desktop\LIJDSFKJZG.mp3, data 13->48 dropped 50 153 other files (150 malicious) 13->50 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Clears the windows event log 13->72 74 Deletes shadow drive data (may be related to ransomware) 13->74 76 4 other signatures 13->76 19 cmd.exe 1 13->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 40 other processes 13->26 signatures9 process10 signatures11 64 Deletes shadow drive data (may be related to ransomware) 19->64 28 vssadmin.exe 1 19->28         started        30 taskkill.exe 1 22->30         started        32 wevtutil.exe 1 24->32         started        34 wevtutil.exe 1 26->34         started        36 wevtutil.exe 1 26->36         started        38 wevtutil.exe 1 26->38         started        40 30 other processes 26->40 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4/
Threat name:
Win64.Infostealer.Greedy
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 20:27:50 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ow7wbk4steva2ubcqdpl753nw2c3slavalvazp3ays2mkz7z7ka._file
Verdict:
malicious
Similar samples:
529c86a3a641cebd27567331ab8305827cb79acba5928e8ce04cf7e55e84bf92
Redeemer
faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578
Redeemer
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer upx
Link:
https://tria.ge/reports/221109-p32ybshae6/
Behaviour
Modifies registry class
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Enumerates physical storage devices
Program crash
Modifies WinLogon
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
UPX packed file
Clears Windows event logs
Unpacked files
SH256 hash:
2fe8bd70bf24de4cbc860415011c5b726a5c7bfd9e195d1370062b0c86bbc6bd
MD5 hash:
13f3112993566d20919d0f96831cfe5d
SHA1 hash:
0fda39dcd2f356904b8d9e5704ff4c74c110c939
Link:
https://www.unpac.me/results/a4e2c014-eb2a-4710-8f6f-b8fc55a57e7c/
SH256 hash:
f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4
MD5 hash:
43a488675595c22136d5b845f554ff6e
SHA1 hash:
253cc7209fc3d0d681516402932789fb103c770e
Link:
https://www.unpac.me/results/a4e2c014-eb2a-4710-8f6f-b8fc55a57e7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f3adfb055c94c9506a811406f5ffbb6db42dc960a8175065fb0625a62b3fcfd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331204/

Comments