bruteratel | 8453cbbc68f53828186aa63f12dfaefc832c69455fa2539ced76436b73f21790

General

Target

0a1228a1a2e33a2588d29646e84207ca.exe
Size

2.0MB
MD5

0a1228a1a2e33a2588d29646e84207ca
SHA1

674d4ce86e32105c92116b67316839a8e42f09b8
SHA256

8453cbbc68f53828186aa63f12dfaefc832c69455fa2539ced76436b73f21790
SHA512

39094f6228b8ebdc53190f0fd8e6ee7419be7f3432c6663be8ffbac69cfdc0c81491205c06f583b22ac991fff736132958544ca8830090f81d04de88021432a6
SSDEEP

49152:a84wxv7LKmM/yf55NaUw0Sv2nMPb5kAGka+lBv6hc3h7GeAA:SELKmM/2Nc0Sv2nMzUtU3h7tF

Score

10^/10

bruteratel backdoor evasion upx

Malware Config

Extracted

Family

bruteratel

C2

�SS��wi��3�� Z7��zj�))�25�3�� vw$!�(��0��`�� &��,��,��'�� &��4��B��U��j��}��~��k��V��C��5��'�� 8t"�,�3�7�7�7��7��9��9��5��-��:��Z��:�� T(�4�8�?�T&��D&��U3��Q)��[>�G��&��@{��C^`�A1#�A�;��5��#� ��j��@��O,�7�B�j;��uH��\��`��[��R��o6��sM�B��(��*��.��4��>��EL?�C�9��' ��f��7��)�6�C��`8��v��w��l��]��U��N��xH��h2��lG�C��,��-��.��-��,��/��6��A

Attributes

c2_auth
J��N��H��
uri
/�}1��E

��jT�Ҕ~���騑�䞈�ᖂ�ޏz�݉w��yd��f]�&��!��6\d�6��(6��k3��G��B��@��B�̐z��꫓�찖��﹢��ª��ɯ��Ĭ��m�j�e��l�k�i�j�m�n �o#�t'�u(�u&�w( ��B*��qY��쨏�囄��}�ދw�݄t��wb��`Y�/�� /i��7��

6��^2(��FB�y@:�v>7�yD@�͎z��먏�ꬓ��ê��n�v$�q �v% �r!�q �o�m�m�n�n�o!�s%�s$�j��`��]G�꣊�睄��{�܈u�ڂr��ve��^W�9��'��$��-kp�6��

6��4.q�/@��-;��&6��/<��ǋ��ꥌ�꧑�뮕�척����ňn��3��. ��2��.�( �
user_agent
�C �8�� M�� A2�>�tE%��t��ӂ��p��e��^��Y��Q��~J��tB��c+��gB�<��$��'��,��-��1��1��/��0��8��A_X�@�.��\��%��%�Y6�D�ƈV��̀��t��j��e��`��X��P��}F��p@��pE��k<��nP�N��%��-��"��'��-��2��1��.��/��;��C$�5��d��(��)]6�W(��^��s��d��d��b��\��S��Q�ڊa�ԝ��մ��ǻ��ƶ��X��-��"��(��/��1��/��,��5��A;1�7��d��%��) O6�X(��c��e��\��]��[��U��T�Ȏl�н��ٸ��q��(��(��/��.��*��/��@@8�7��[��'�16�T$��Y��Z��R��W��Q��K�҈`�θ��ͳ��Z��#��.��-��(��.��@7.�4��L��5�>��oG��S��

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2856	netsh.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2144-0-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-7-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-8-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-9-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-11-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-12-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-13-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-14-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-15-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-16-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-17-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-18-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-19-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-20-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-21-0x0000000000400000-0x00000000019F3000-memory.dmp	upx
behavioral1/memory/2144-22-0x0000000000400000-0x00000000019F3000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DJLAPDMX.txt	0a1228a1a2e33a2588d29646e84207ca.exe
File created	C:\Windows\winupdate.exe	0a1228a1a2e33a2588d29646e84207ca.exe
File opened for modification	C:\Windows\winupdate.exe	0a1228a1a2e33a2588d29646e84207ca.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2660	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	0a1228a1a2e33a2588d29646e84207ca.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2300	2144	0a1228a1a2e33a2588d29646e84207ca.exe	28
PID 2144 wrote to memory of 2300	2144	0a1228a1a2e33a2588d29646e84207ca.exe	28
PID 2144 wrote to memory of 2300	2144	0a1228a1a2e33a2588d29646e84207ca.exe	28
PID 2144 wrote to memory of 2300	2144	0a1228a1a2e33a2588d29646e84207ca.exe	28
PID 2144 wrote to memory of 2660	2144	0a1228a1a2e33a2588d29646e84207ca.exe	30
PID 2144 wrote to memory of 2660	2144	0a1228a1a2e33a2588d29646e84207ca.exe	30
PID 2144 wrote to memory of 2660	2144	0a1228a1a2e33a2588d29646e84207ca.exe	30
PID 2144 wrote to memory of 2660	2144	0a1228a1a2e33a2588d29646e84207ca.exe	30
PID 2300 wrote to memory of 2856	2300	cmd.exe	32
PID 2300 wrote to memory of 2856	2300	cmd.exe	32
PID 2300 wrote to memory of 2856	2300	cmd.exe	32
PID 2300 wrote to memory of 2856	2300	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\0a1228a1a2e33a2588d29646e84207ca.exe
"C:\Users\Admin\AppData\Local\Temp\0a1228a1a2e33a2588d29646e84207ca.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2144
- C:\WINDOWS\SysWOW64\cmd.exe
  C:\WINDOWS\system32\cmd.exe /c "netsh firewall set opmode mode = disable"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode = disable
    3⤵
    - Modifies Windows Firewall
    PID:2856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
  2⤵
  - Creates scheduled task(s)
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-0-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/2144-7-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-8-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-9-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2144-11-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-12-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-13-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-14-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-15-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-16-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-17-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-18-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-19-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-20-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-21-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download
memory/2144-22-0x0000000000400000-0x00000000019F3000-memory.dmp

Filesize
21.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads