{
	"id": "980837d6-6600-4748-9e5e-03c6718c4e2d",
	"created_at": "2026-04-06T00:13:48.21974Z",
	"updated_at": "2026-04-10T03:21:04.235766Z",
	"deleted_at": null,
	"sha1_hash": "8422e7f132a17253f4edd3adb645af23232fc344",
	"title": "Russian Language Malspam Pushing Redaman Banking Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2350403,
	"plain_text": "Russian Language Malspam Pushing Redaman Banking Malware\r\nBy Brad Duncan, Mike Harbison\r\nPublished: 2019-01-23 · Archived: 2026-04-05 15:13:24 UTC\r\nRedaman is banking malware first noted in 2015 that targets recipients who conduct transactions using Russian\r\nfinancial institutions. First reported as the RTM banking Trojan, vendors like Symantec and Microsoft described\r\nan updated version of this malware as Redaman in 2017. We have found versions of Redaman in Russian language\r\nmass-distribution campaigns during the last four months of 2018. This blog tracks recent developments from an\r\nongoing campaign of malicious spam (malspam) currently distributing this banking malware from September\r\nthrough December of 2018. We cover the following areas:\r\nInfection vector\r\nEmail characteristics\r\nTargeted recipients\r\nAnalysis of a Redaman sample\r\nInfection traffic\r\nInfection vector\r\nSince September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the\r\nRussian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.\r\nThese emails have file attachments. These file attachments are archived Windows executable files disguised as a\r\nPDF document. In September 2018, the attachments were zip archives. In October 2018, the attachments were zip\r\narchives, 7-zip archives, and rar archives. In November 2018, the attachments were rar archives. And in December\r\n2018, the attachments changed to gzip archives with file names ending in .gz.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 1 of 12\n\nFigure 1: Flow chart for infections from Redaman banking malware from September through December of 2018.\r\nThe emails\r\nSubject lines, message text, and attachment names constantly change for this malspam. But the messages all have\r\na common theme: they refer to a document or file for an alleged financial issue the recipient needs to resolve.\r\nThese messages are often vague, and they contain few details on the alleged financial issue. Their only goal is to\r\ntrick the recipient into opening the attached archive and double-clicking the executable contained within.\r\nAmong dozens of examples seen from September through December of 2018, here is a selection of 10 subject\r\nlines from this malspam:\r\nSubject: Акт сверки сентябрь-октябрь\r\nSubject: Весь пакет док-ов за прошлый месяц\r\nSubject: Все док-ты за август-сентябрь\r\nSubject: Деб.задолженность среда\r\nSubject: Документы, сверка 02.10\r\nSubject: Заявка на возврат за ноябрь\r\nSubject: Необходимо свериться среда\r\nSubject: Отправка на за прошлую неделю\r\nSubject: Пакет документов для оплаты 1е октября\r\nSubject: Сверка на оплату\r\nThe following are Google translations for the above subject lines:\r\nSubject: Act of reconciliation September-October\r\nSubject: All package of last month's documents\r\nSubject: All docs for August-September\r\nSubject: Debt due Wednesday\r\nSubject: Documents Verification for October 2018\r\nSubject: Application for return for November\r\nSubject: Check the environment\r\nSubject: Sending on last week\r\nSubject: The package of documents for payment 1st October\r\nSubject: Payment Verification\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 2 of 12\n\nFigure 2: Example of Redaman malspam from September 2018.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 3 of 12\n\nFigure 3: Example of Redaman malspam from October 2018.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 4 of 12\n\nFigure 4: Example of Redaman malspam from November 2018.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 5 of 12\n\nFigure 5: Example of Redaman malspam from December 2018.\r\nTargeted recipients\r\nThe content of these emails and data from our AutoFocus threat intelligence platform confirms this campaign is\r\nprimarily targeting Russian recipients. We found 3,845 email sessions in AutoFocus with attachments tagged as\r\nRedaman banking malware from September through December 2018. Data on the top 10 senders and recipients of\r\nthis malspam follow:\r\nMail servers of the top 10 senders:\r\nFrom Russia - 3,456\r\nFrom Belarus - 98\r\nFrom Ukraine - 93\r\nFrom Estonia - 29\r\nFrom Germany - 30\r\nFrom United States - 21\r\nFrom Netherlands - 12\r\nFrom Great Britain - 7\r\nFrom Switzerland - 7\r\nFrom Latvia - 2\r\nMail servers of the top 10 recipients:\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 6 of 12\n\nTo Russia - 2,894\r\nTo Netherlands - 195\r\nTo United States - 55\r\nTo Sweden - 24\r\nTo Japan - 16\r\nTo Kazakhstan - 12\r\nTo Spain - 12\r\nTo Finland - 11\r\nTo Germany - 6\r\nTo Austria - 4\r\nFigure 6: AutoFocus map visualization for distribution of email recipients, September through December of 2018.\r\nAnalysis of a Redaman sample\r\nWe analyzed a sample of Redaman malware from malspam on November 13th, 2018.\r\nSHA256 hash of rar archive from the malspam:\r\nf6fb51809caec2be6164863b5773a7ee3ea13a449701a1f678f0655b6e8720df\r\nSHA256 hash of Redaman executable extracted from the rar archive:\r\ncd961e81366c8d9756799ec8df14edaac5e3ae4432c3dbf8e3dd390e90c3e22f\r\nSHA256 hash of Redaman DLL created by the above executable:\r\n14d33b02a497e46f470d30180a09a1057c6802c1f37b0efbf82cbdc47a8ae7ff\r\nWhen the Windows executable for Redaman is first run, it checks for the following files or directories on the local\r\nhost (C:\\ or D:\\ drives):\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 7 of 12\n\nC:\\cuckoo\r\nC:\\fake_drive\r\nC:\\perl\r\nC:\\strawberry\r\nC:\\targets.xls\r\nC:\\tsl\r\nC:\\wget.exe\r\nC:\\*python*\r\nIf any of the above files or directories exist, the Windows executable throws an exception and exits. This indicates\r\nRedaman checks if it is running in a sandbox or similar type of analysis environment.\r\nIf no exceptions occur, the Windows executable drops a DLL file in the user's AppData\\Local\\Temp\\ directory,\r\ncreates a randomly-named folder under C:\\ProgramData\\ directory and moves the DLL under that folder as a\r\nrandom file name. This Redaman DLL is made persistent through a scheduled Windows task with the following\r\nproperties:\r\nName: Windows Update\r\nDescription: Updating Windows components.\r\nTriggers: Executed whenever the user logs on\r\nAction: rundll32.exe \"C:\\ProgramData\\%random value%\\%random value.random 3-character\r\nextension%\",DllGetClassObject host\r\nAfter creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 8 of 12\n\nFigure 7: Example of a Redaman DLL persistent through a scheduled task.\r\nFigure 8: Process Hacker showing the Redaman DLL active using rundll32.exe.\r\nRedaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox,\r\nand Internet Explorer. It then searches the local host for information related to the financial sector. Other\r\ncapabilities of Redaman include:\r\nDownloading files to the infected host\r\nKeylogging activity\r\nCapture screen shots and record video of the Windows desktop\r\nCollecting and exfiltrating financial data, specifically targeting Russian banks\r\nSmart card monitoring\r\nShutting down the infected host\r\nAltering DNS configuration through the Windows host file\r\nRetrieving clipboard data\r\nTerminating running processes\r\nAdding certificates to the Windows store\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 9 of 12\n\nInfection traffic\r\nWe generated the following infection traffic using the executable with SHA256 hash\r\ncd961e81366c8d9756799ec8df14edaac5e3ae4432c3dbf8e3dd390e90c3e22f on November 14th, 2018:\r\n104.28.16[.]33 port 443 - namecha[.]in - GET /name/d/stat-counter-3-1\r\n185.141.61[.]246 port 80 - 185.141.61[.]246 - POST /index.php\r\n193.37.213[.]28 port 80 - 193.37.213[.]28 - POST /p/g_3453456jawd346.php\r\nFigure 9: Redaman infection traffic filtered in Wireshark.\r\nNetwork activity started with an HTTPS URL to namecha[.]in, which is an alternative namecoin block explorer.\r\nNamecoin is a cryptocurrency system that can be used for decentralized DNS. That proves to be the case here,\r\nsince the URL returned an IP address used for subsequent post-infection traffic as shown in Figure 10.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 10 of 12\n\nFigure 10: Data returned from namecha[.]in used for subsequent infection traffic.\r\nDuring the infection, callback traffic was periodically sent to a command and control (C2) sever at\r\n185.141.61[.]246. Shortly after the infection, return traffic from the C2 server sent a Pony variant DLL to the\r\ninfected Windows client.\r\nFigure 11: Using Wireshark to find 58 kB of encoded data returned from the C2 server at 185.141.61[.]246.\r\nData for the Pony variant DLL was XOR encoded with multiple XOR keys and RTLcompressed. The SHA256 of\r\nthis Pony variant DLL is b4701d95219d465e978c4a815fcce89787916da33ae2a49d0e76d4445fd39ada, and it\r\ngenerated traffic to 193.37.213[.]28/p/g_3453456jawd346.php during the infection.\r\nConclusion\r\nSince it was first noted in 2015, this family of banking malware continues targeting recipients who conduct\r\ntransactions with Russian financial institutions. We found over 100 examples of malspam during the last four\r\nmonths of 2018, and this blog provides a closer look at Redaman during that timeframe. We covered the following\r\nareas:\r\nInfection vector\r\nEmail characteristics\r\nTargeted recipients\r\nAnalysis of a Redaman sample\r\nInfection traffic\r\nWe expect to discover new Redaman samples as 2019 progresses.\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 11 of 12\n\nPalo Alto Networks customers are protected from this threat. Traps identifies these files through Local Analysis\r\nand Wildfire has classified them as malicious. Our threat prevention platform detects this malware, and see the\r\nbelow appendices below for details on Redaman malware we discovered from September through December of\r\n2018.\r\nAppendix A\r\nSHA256 file hashes for 119 malspam attachments, 30 extracted Redaman executable files, and 30 dropped\r\nRedaman DLL files found from September through December 2018. Information is available at:\r\nhttps://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-09-thru-2018-12-file-hashes-for-Redaman-banking-malware.txt\r\nAppendix B\r\nSHA256 file hashes, archive file names, and extracted file names for Redaman banking malware found in\r\nSeptember 2018. Information is available at: https://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-09-file-hashes-for-Redaman-banking-malware.txt\r\nAppendix C\r\nSHA256 file hashes, archive file names, and extracted file names for Redaman banking malware found in October\r\n2018. Information is available at: https://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-10-file-hashes-for-Redaman-banking-malware.txt\r\nAppendix D\r\nSHA256 file hashes, archive file names, and extracted file names for Redaman banking malware found in\r\nNovember 2018. Information is available at: https://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-11-file-hashes-for-Redaman-banking-malware.txt\r\nAppendix E\r\nSHA256 file hashes, archive file names, and extracted file names for Redaman banking malware found in\r\nDecember 2018. Information is available at: https://github.com/pan-unit42/iocs/blob/master/Redaman_banking_malware/2018-12-file-hashes-for-Redaman-banking-malware.txt\r\nSource: https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/"
	],
	"report_names": [
		"russian-language-malspam-pushing-redaman-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8422e7f132a17253f4edd3adb645af23232fc344.pdf",
		"text": "https://archive.orkl.eu/8422e7f132a17253f4edd3adb645af23232fc344.txt",
		"img": "https://archive.orkl.eu/8422e7f132a17253f4edd3adb645af23232fc344.jpg"
	}
}