{ "id": "14d41b48-3440-45da-ba37-c9a9e2bbd220", "created_at": "2026-04-06T00:11:20.369753Z", "updated_at": "2026-04-10T03:35:03.234374Z", "deleted_at": null, "sha1_hash": "e94894db3a4736ce397501e2de623cada4303a29", "title": "Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 348522, "plain_text": "Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample\r\nArchived: 2026-04-05 22:25:26 UTC\r\nRedaman is a well-known banking malware, discovered around 2015. Recently I have been analyzing a recent\r\nversion of the malware (0.6.0.2, not sure if latest version, probably one of the newest). This malware uses some\r\ninteresting tricks probably introduced in these recent versions. In this post I share some notes about the analysis.\r\nOriginal Packed Sample: 2b251483ed7705c60ee12b561280a1fc\r\nUnpacked Sample (dll): 2a298a650b50eb89041548e57d72f726\r\nVirustotal First Submission: 2019-10-11 10:35:13\r\nRelated links:\r\nhttps://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/\r\nhttps://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/\r\nhttps://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf\r\n1. Anti-analysis tricks\r\n1.1. C2 encoded into bitcoin transactions\r\n1.2. Checks machine name vs user name\r\n1.3. Encrypted strings\r\n1.4. Unpacked module needs correct argument to work properly\r\n1.5. Checks for typical sandboxes files, directories, processes...\r\n1.6. Checks for security products\r\n1.7. Disable Safeboot\r\n2. Bot commands and malware capabilities\r\n3. Yara rules\r\n4. List of encrypted strings\r\n1. Anti-analysis tricks\r\n1.1. C2 encoded into bitcoin transactions\r\nThis trick, discovered by checkpoint and explained in this post, is really interesting. The malware gets the C2\r\naddresses from the bitcoin blockchain. The malware doesn't carry C2 addresses into the binary. It carries (in the\r\nlist of encrypted strings) some urls of some services offering APIs related to bitcoin blockchain:\r\n\"viabtc.com\"\r\n\"/res/btc/transactions/addressv2?address=\"\r\n\"api.blockcypher.com\"\r\n\"/v1/btc/main/addrs/\"\r\n\"?limit=10\"\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 1 of 11\n\n\"blockchain.info\"\r\n\"/rawaddr/\"\r\n\"blockchain.coinmarketcap.com\"\r\n\"/api/address?address=\"\r\n\"\u0026symbol=BTC\u0026start=1\u0026limit=10\"\r\nAdditionally, it carries another encrypted string with the C2 schema, a bitcoin address and the C2 uri:\r\n\"http://1N9ALZUgqYzFQGDXvMY5j1c7PGMMGYqUde/index.php\" \r\nThen, the malware composes the blockchain API url, and queries the transactions for the given bitcoin address, for\r\nexample:\r\nThe malware uses some fields of this json response (exactly the values of the transactions) to compose the C2\r\naddresses, as explained in the following image (click on the image to expand):\r\nThe threat actor only needs to perform some new transaction with the given bitcoin address to update the C2 list.\r\nThis is quite interesting. A malware could be keeping all kind of information and configs in the blockchain. It\r\ncould use these APIs such as api.blockcypher.com, etc... or it could download the blockchain to get all the\r\ntransactions directly from the blockchain and recover all the needed information.\r\nA domain can be sinkholed, but, using this method, it would be hard to forbid the malware to get updates.\r\n1.2. Checks machine name vs user name\r\nThis is another trick, quite aggresive, that I hadn't seen before. Basically, the malware gets tthe computer name\r\nand the user name. It removes the \"-PC\" suffix from the computer name, the in compares the computer name\r\n(without -PC) with the username (uppercase). If they are the same, exit.\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 2 of 11\n\nFrequently, real usual users' machines have computer names like DESKTOP-JMP24OS, etc... I suppose with this\r\naggresive trick the malware tries to avoid being executed in sandboxes, AV emulators, etc...\r\n1.3. Encrypted strings\r\nAs explained at welivesecurity' article, the malware decrypts the strings that it is going to use by using a custom\r\nrc4 algorithm.\r\nHere, Im just going to explain how I got the decrypted urls directly from memory and Im going to share the script\r\nthat I used to add IDA comments automatically. I used the following Windbg commands to dump all the decrypted\r\nstrings and their positions in the strings' table:\r\nbp \u003cbase_unpacked_mod\u003e + 291F5  (at this point, strings were decrypted a moment ago)\r\nPrint decrypted ascii strings:\r\n.for ($t0=0;@$t0\u003c0x18b;r $t0=@$t0+1){ .printf \"%d \",4*@$t0; da poi\r\n(\u003cbase_unpacked_mod\u003e+2C93C+4*@$t0); .printf \"\\r\\n\"; }\r\nPrint decrypted unicode strings:\r\n.for ($t0=0;@$t0\u003c0xb6;r $t0=@$t0+1){ .printf \"%d \",4*@$t0; du poi\r\n(\u003cbase_unpacked_mod\u003e+2CF68+4*@$t0); .printf \"\\r\\n\"; }\r\nWith these commands, i got the list of strings (ascii and unicode), and I used the following IDA python script to\r\nset comments foreach part of the code where these strings are being used:\r\n1.4. Unpacked module needs correct argument to work properly\r\nOnce the malware is unpacked, the real redaman dll is launched with rundll32 and DllGetClassObject method is\r\ncalled, and an argument is given:\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 3 of 11\n\nrundll32 \u003credaman dll path\u003e, DllGetClassObject \u003cpassword\u003e\r\nThe given password needs to be correct, if it is not correct, the encrypted strings cant be decrypted and the\r\nmalware exits.\r\n1.5. Checks for typical sandboxes files, directories, processes...\r\nIt checks for the following files or directories at c:\\ or d:\\ : cuckoo, fake_drive, strawberry, tsl, targets.xls, perl,\r\nwget.exe\r\nIt checks for the following names in the own module name: myapp.exe, self.exe, t.exe\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 4 of 11\n\nAnd for the following processes: vboxservice.exe, python.exe\r\n1.6. Checks for security products\r\nRedaman uses the WbemScripting.SWbemLocator API to search for intalled security products:\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 5 of 11\n\n1.7. Disable Safeboot\r\nThe malware deletes the current safeboot value:\r\n2. Bot commands and malware capabilities\r\nI recommend to read the welivesecurity' article to learn about the protocol and encryption used by Redaman\r\nbanking malware.\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 6 of 11\n\nIt looks in the newer versions of the malware they have introduced a much longer list of commands that the bot\r\ncan receive from the C2 and execute. This is the complete list (each command and name is quite self-explanatory):\r\nkeylogger.last-data\r\nkeylogger.last-wnd-caption\r\nkeylogger.last-exe-path\r\nbotnet-prefix\r\nbotnet-id\r\ncc.connect-interval\r\nscan-files\r\npost-install-report\r\ncc.url\r\nmodules.\r\nmodules-data.\r\ndel-module\r\nunload\r\nuninstall\r\nuninstall-lock\r\nfind-files\r\ndownload\r\nshutdown\r\nreboot\r\ncc\r\nget-cc\r\nbotnet-id\r\nprefix\r\nconnect-interval\r\nhosts-add\r\nhosts-clear\r\ndbo-scan\r\ncfg-set-str-a\r\ncfg-set-str-w\r\ncfg-set-dw\r\ncfg-get-str-a\r\ncfg-get-str-w\r\ncfg-get-dw\r\ncfg-del-param\r\nscreenshot\r\ndns\r\nset-dns\r\nget-dns\r\nkill-process\r\nlpe-runas-flags\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 7 of 11\n\nscards.monitoring-interval\r\nauto-elevate\r\nreload\r\nscard-off\r\nmodules-off\r\ndbo-detector-off\r\nmultiinstance-off\r\nkeylogger-off\r\ndns-servers-changed\r\nhosts-file-changed\r\nvideo.refresh-interval\r\nvideo-start\r\nvideo-stop\r\ndel-files\r\nAdditionally, in the list of encrypted strings, the malware carries a list of strings to match against the browser\r\nwindow name. In case of match, it is a target site (most of them bank websites) to steal credentials from. This is\r\nthe list of urls of the analyzed sample:\r\nonline.payment.ru\r\nbankline.ru\r\n/ic/login.zhtml\r\n/servlets/ibc\r\nfaktura.ru\r\n/iclient/\r\nibank2\r\nbco.vtb24.\r\nbo.vtb24.\r\ndbo.vtb.\r\nelbrus.raiffeisen\r\nelba.raiffeisen\r\nhandybank.\r\nwupos.westernunion\r\nonline.sberbank.\r\nminbank.ru\r\ne-plat.mdmbank.\r\nlink.alfabank\r\nclick.alfabank\r\nib.avangard\r\nibc.vuzbank.\r\nibc.ubrr.\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 8 of 11\n\nmy.modulbank.\r\nonline.centrinvest.\r\ncb.mtsbank.\r\nvbo.mkb.\r\ni.bspb.ru\r\ni.vtb.ru\r\nbc.rshb.\r\n/vpnkeylocal\r\nsci.interkassa\r\nibank.mmbank.\r\nblockchain.info\r\n/wallet/\r\ncb.asb.by\r\nbps-sberbank.by\r\ndbo2.bveb.by\r\nibank.bsb.by\r\ncorporate.bgpb.by\r\nibank.alfa-bank.by\r\nibank.belinvestbank.by\r\nib2.ideabank.by\r\nclient.paritetbank.by\r\nibank.priorbank.by\r\nclient.mybank.by\r\nonline.stbank.by\r\nclient.belapb.by\r\nUnk\r\nSberBank_PC\r\nBSS\r\nBSS_PC\r\niBank2_PC\r\nFaktura\r\nPCB\r\nInterPro\r\nRosBank\r\nSBBO\r\nINIST\r\nInversion\r\nInterbank\r\niBank2\r\nBiCrypt\r\nVTB24\r\n1C\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 9 of 11\n\nSGB\r\nRaiffeisen\r\nHandyBank\r\nWU\r\nSB_Fiz\r\nCFT\r\nWinPost\r\nSBIS\r\nClBank\r\nQiwiCashier\r\nISCC\r\nWebMoney\r\nxTC\r\niFOBS\r\nTRANSAQ\r\nOSMP\r\nMinBank\r\nSFT\r\nMDM\r\nALBO\r\nAlfa_Fiz\r\nAvangard\r\nIntercassa\r\nAmikon\r\nVuzbank\r\nUBRR\r\nModulBank\r\nCentrInvest\r\nMTSBank\r\nMKB\r\nEL_CLI\r\nBSPB\r\nIVTB\r\nRSHB\r\nInfocrypt\r\nMMBank\r\nBlockchainInfo\r\nHBClient\r\nASB\r\nBPS_SB\r\nBVEB\r\nBSB\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 10 of 11\n\nBGPB\r\nALBO_BY\r\nBelInvest\r\nIdeaBank\r\nParitet\r\nPriorBank\r\nMyBank\r\nStBank\r\nBelAPB\r\nscDBO\r\nAvestCSP\r\n3. Yara rules\r\n4. List of encrypted strings\r\nSource: http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nhttp://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html" ], "report_names": [ "brief-analysis-of-redaman-banking.html" ], "threat_actors": [ { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434280, "ts_updated_at": 1775792103, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e94894db3a4736ce397501e2de623cada4303a29.pdf", "text": "https://archive.orkl.eu/e94894db3a4736ce397501e2de623cada4303a29.txt", "img": "https://archive.orkl.eu/e94894db3a4736ce397501e2de623cada4303a29.jpg" } }