bruteratel | 04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b

Resubmissions

15-03-2024 08:35

240315-khfr5scb41 10

08-03-2024 06:28

240308-g8rqjsac9y 10

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac03e7065835ff2e82f01801740a5e0.exe
Size

1.3MB
MD5

bac03e7065835ff2e82f01801740a5e0
SHA1

2bf512bc4f3d6f1bece40073ddedadad65264166
SHA256

04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b
SHA512

a2ee185a51f1ee7d53a622013ccb9f47c9893f304dce3413d53399ad3d757ed0dd7782f8dbe3f60c8f19c9f69fd40fc8fbb3b59aa09279871a3ee50878f50d97
SSDEEP

24576:r4VrnNUc9BJxetHXQf/R4GdfEzh7B905zfXKkfz+bVILjMxuY:cFNlYXI/R4GduL05zfXdfgVILY1

Score

10^/10

bruteratel backdoor

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Executes dropped EXE 1 IoCs

Processes:

acrobat32.exe

pid process

2572 acrobat32.exe
Loads dropped DLL 1 IoCs

Processes:

bac03e7065835ff2e82f01801740a5e0.exe

pid process

2744 bac03e7065835ff2e82f01801740a5e0.exe
Drops file in Windows directory 1 IoCs

Processes:

acrobat32.exe

description ioc process

File created C:\WINDOWS\SYSTEM.LOG acrobat32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

acrobat32.exe

pid process

2572 acrobat32.exe

pid	process
2572	acrobat32.exe

pid	process
2744	bac03e7065835ff2e82f01801740a5e0.exe

description	ioc	process
File created	C:\WINDOWS\SYSTEM.LOG	acrobat32.exe

pid	process
2572	acrobat32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bac03e7065835ff2e82f01801740a5e0.exe

description	pid	process	target process
PID 2744 wrote to memory of 2572	2744	bac03e7065835ff2e82f01801740a5e0.exe	acrobat32.exe
PID 2744 wrote to memory of 2572	2744	bac03e7065835ff2e82f01801740a5e0.exe	acrobat32.exe
PID 2744 wrote to memory of 2572	2744	bac03e7065835ff2e82f01801740a5e0.exe	acrobat32.exe
PID 2744 wrote to memory of 2572	2744	bac03e7065835ff2e82f01801740a5e0.exe	acrobat32.exe

C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe
"C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Arquivos de programas\acrobat32.exe
"C:\Arquivos de programas\acrobat32.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\acrobat32.exe
Filesize
9.6MB

MD5
b18c339ffd36c12513744ba917542243

SHA1
34d0e70df1c58e89e56d6e52f7239a8e4cd78ea1

SHA256
e97ceabbb18ecd33c541ffb12446509581532ab41883459ed19fde7972343ee9

SHA512
8ae740c157acd162bb2823ade15064336925ecea52aa7282f8a552b47eeda4419b75fdac9ca012129c274f504ea95fe47b466f3e591bd663903e5b0c400d4a35

Download Submit
C:\Arquivos de programas\acrobat32.exe
Filesize
8.2MB

MD5
36523745a6dff0252d6c2f73a8d40989

SHA1
b7bc4c57b6094d82696f4fb654b28b29fe9ce20d

SHA256
21882ad54631ead7a4e1497da1075e018c30869e343a4e1dff4a863f59126004

SHA512
498706e1b24fd19114c2c3fdb92a96c36bc83a86968da1f30aa0bef47cf914fc9dfc99041a2e464869790a6e455d81dfcb9cfdca23ccaf20acfc82d1b2319eaa

Download Submit
\Arquivos de programas\acrobat32.exe
Filesize
12.3MB

MD5
a3da936b172055c1b347854b3b79ed68

SHA1
d28280974744375ae7e6ed1c993e82ba24311618

SHA256
032df6a83ec526984faa1c32f8816fd13cd6a0c4668fb8ba375210cf2eeb6ab6

SHA512
3a2c044369f3d31ddabfe890b00c5d146d557ebc239d44af1d027e4448c33ae67df9bff192653e4cd8abd9d2907d66d2f2053fa6974eae8e5f9d3e9dd4dc251a

Download Submit
memory/2572-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2572-9-0x0000000000280000-0x0000000001532000-memory.dmp

Filesize
18.7MB

Download
memory/2572-13-0x0000000000280000-0x0000000001532000-memory.dmp

Filesize
18.7MB

Download
memory/2744-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download