RedBoot

RedBoot

• First seen: September 2017
• Aliases:
• Samples:
  • 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887 | windows | ransom | pe

RedBoot Installer

Basic Properties

Property	Value
Size	1246725 bytes
CRC32	0x5200f1dc
MD5	e0340f456f76993fc047bc715dfdae6a
SHA1	d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA256	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512	cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
Ssdeep	24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG
Magic	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Packer	PE: packer: UPX(3.91)[NRV,brute] PE: library: AutoIt(-)[-] PE: linker: Microsoft Linker(12.0*)[EXE32,admin]
TrID	35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4505/5/1)

Antivirus Scan

- Avast: Win32:Malware-gen
- Avira: DR/Autoit.zbqnm
- Bitdefender: Trojan.GenericKD.6010862
- Clamav: Win.Dropper.Autit-8177147-0
- Comodo: Malware
- Drweb: Trojan.MulDrop7.41556
- Eset: Win32/Filecoder.Autoit.H
- Fsecure: Trojan.TR/Agent.yrnis
- Kaspersky: Trojan.Win32.KillMBR.gff
- Mcafee: Generic Trojan.ei
- Sophos: Mal/Autoit-AE
- Symantec: Ransom.Redboot
- Trendmicro: Ransom_REDBOOT.A
- Windefender: Ransom:AutoIt/RedBoot.A

References

• https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/-ransomware-recap-is-redboot-really-a-wiper
• https://www.bleepingcomputer.com/news/security/ransomware-or-wiper-redboot-encrypts-files-but-also-modifies-partition-table/