MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Redeemer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578
SHA3-384 hash: 6c376508b7742659d4cc4d01dab87a99cba8dca57a310fafc42917c8641688ade85b79a2f2dcad49771e8ea492a141be
SHA1 hash: 5ac0b2609e3971c20a37ec3c790eca526036843f
MD5 hash: 384f4cca34e9bd3174c7959b142b5d7b
humanhash: ohio-massachusetts-spring-shade
File name:faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578
Download: download sample
Signature Redeemer
Create hunting rule
File size:3'361'792 bytes
First seen:2022-11-09 12:51:55 UTC
Last seen:2022-11-09 14:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f5333bcfcde7212e843a786d98753906 (2 x Redeemer, 1 x RustyStealer)
ssdeep 98304:9goS+ZFcEsZUONQnvO9IsDW2X41U58ci8FpnuzK:9hFJyU4IAWX5chLum
Threatray 6 similar samples on MalwareBazaar
TLSH T1D8F533DD318271EAFC6E4C3D461E044FF941A069E5A06C53F59BCA73EC34A6822B4E6D
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter petikvx
Tags:Ransomware redeemer

Intelligence

File Origin
# of uploads :
2
# of downloads :
425
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578
Verdict:
No threats detected
Analysis date:
2022-11-09 13:16:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/444e382f-e477-4041-baf5-7e8163f411ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331205/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63507557.32701.8395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Running batch commands
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Searching for the window
Enabling autorun with the shell\open\command registry branches
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/636ba27582dd9f2e26532723/reports/5efb471e-3b1c-4982-a3fa-70cc89a6ffcd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Redeemer Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d441da0f-faf3-46ac-9ab1-d29b18cbd37f
Result
Threat name:
Redeem
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109322
Signature
Clears the windows event log
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Redeem Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 742003 Sample: 4mIA12r9R0.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Redeem Ransomware 2->62 64 2 other signatures 2->64 8 4mIA12r9R0.exe 2 2->8         started        process3 dnsIp4 54 www.ipinfo.io 34.117.59.81, 443, 49699 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->54 56 lunar-reborn.cc 188.114.97.3, 443, 49700 CLOUDFLARENETUS European Union 8->56 44 C:\Users\user\AppData\Local\Temp\build.exe, PE32 8->44 dropped 68 May check the online IP address of the machine 8->68 13 build.exe 4 251 8->13         started        17 choice.exe 1 8->17         started        file5 signatures6 process7 file8 46 C:\Users\user\Desktop\WKXEWIOTXI.png, DOS 13->46 dropped 48 C:\Users\user\Desktop\PWCCAWLGRE.mp3.redeem, COM 13->48 dropped 50 7S2boItysRJpa1IMRP...AuDTwH5LNZA6 (copy), DOS 13->50 dropped 52 142 other files (140 malicious) 13->52 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Clears the windows event log 13->72 74 Deletes shadow drive data (may be related to ransomware) 13->74 76 5 other signatures 13->76 19 cmd.exe 1 13->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        28 39 other processes 13->28 26 conhost.exe 17->26         started        signatures9 process10 signatures11 66 Deletes shadow drive data (may be related to ransomware) 19->66 30 vssadmin.exe 1 19->30         started        32 wevtutil.exe 1 22->32         started        34 wevtutil.exe 1 24->34         started        36 wevtutil.exe 1 28->36         started        38 wevtutil.exe 1 28->38         started        40 taskkill.exe 28->40         started        42 30 other processes 28->42 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578/
Threat name:
Win64.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 18:57:24 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 40 (35.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l2l5n5cw5zmfytvnc4yowyzawpflml5ntoljuogffz2rgqhcv4a._file
Verdict:
malicious
Similar samples:
1c753941a2ae4758505208a8a1e73b3ab686627e04be298fe888267be449bbb4
Redeemer
3b2d618e3b0e1c567e74ae298adeec4b589de973f4f85fbb2d787a3b4bdf2169
Redeemer
529c86a3a641cebd27567331ab8305827cb79acba5928e8ce04cf7e55e84bf92
Redeemer
7c8dc5d401238f679c24463c4dc79c89636f41b8b328e0e02d81e7a1ad8442b1
Redeemer
97fd9f15a70326bd7eaa7489e6f75bf118546a11cb249902723221dd68802e7c
Redeemer
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer upx
Link:
https://tria.ge/reports/221109-p32ybshae7/
Behaviour
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Modifies WinLogon
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
UPX packed file
Clears Windows event logs
Unpacked files
SH256 hash:
52635d49f4175a2bd212cc532e6df5646501ffd2e2b84540713a738b26c025ed
MD5 hash:
0e781abe3baef00fc93e79ab15f64a6c
SHA1 hash:
8b363f73e0dd77ec366c1d5bb729ca4766ab92e4
Link:
https://www.unpac.me/results/1aef9eb9-0e10-42e1-badf-0fd2b139ed80/
SH256 hash:
faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578
MD5 hash:
384f4cca34e9bd3174c7959b142b5d7b
SHA1 hash:
5ac0b2609e3971c20a37ec3c790eca526036843f
Link:
https://www.unpac.me/results/1aef9eb9-0e10-42e1-badf-0fd2b139ed80/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/faf4beb7a2b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/faf4beb7a2b772c2e27568b9875b19059e55b17d6cdcb4d1c62973a89a071578

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331205/

Comments