bruteratel | 04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b

Resubmissions

15/03/2024, 08:35

240315-khfr5scb41 10

08/03/2024, 06:28

240308-g8rqjsac9y 10

Analysis

max time kernel
142s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac03e7065835ff2e82f01801740a5e0.exe
Size

1.3MB
MD5

bac03e7065835ff2e82f01801740a5e0
SHA1

2bf512bc4f3d6f1bece40073ddedadad65264166
SHA256

04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b
SHA512

a2ee185a51f1ee7d53a622013ccb9f47c9893f304dce3413d53399ad3d757ed0dd7782f8dbe3f60c8f19c9f69fd40fc8fbb3b59aa09279871a3ee50878f50d97
SSDEEP

24576:r4VrnNUc9BJxetHXQf/R4GdfEzh7B905zfXKkfz+bVILjMxuY:cFNlYXI/R4GduL05zfXdfgVILY1

Score

10^/10

bruteratel backdoor

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	bac03e7065835ff2e82f01801740a5e0.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	acrobat32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SYSTEM.LOG	acrobat32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	acrobat32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4012	5112	bac03e7065835ff2e82f01801740a5e0.exe	90
PID 5112 wrote to memory of 4012	5112	bac03e7065835ff2e82f01801740a5e0.exe	90
PID 5112 wrote to memory of 4012	5112	bac03e7065835ff2e82f01801740a5e0.exe	90

C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe
"C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Arquivos de programas\acrobat32.exe
  "C:\Arquivos de programas\acrobat32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\acrobat32.exe

Filesize
12.8MB

MD5
1c8304b0e7284173d57f031a999293b2

SHA1
d0c95f0ac564e354b77aa90b651a2d791f36d26f

SHA256
109ea0be4ab5d49aa15aa19c4d0cd13e325c2ecdff5fdc4f807e9e1d2196bfbf

SHA512
62631d688626ca75b7905a2502655fb87f6a621013c97b83c6a97f8bf0ed61df9f39480dfa9eef92baf1ee946f07d8eb016f8066fcd7af023d67ff0721826bde

Download Submit
C:\Arquivos de programas\acrobat32.exe

Filesize
15.7MB

MD5
8c42df506de40711d804fe0d65dce453

SHA1
d086ac98658a94559b4a7dc8bad5c086ac9bcc7f

SHA256
a6bd11d5aad8c555d3e1f8f9db0cc293f184ccfd1653729299176f4a129239a9

SHA512
e077f47b0e78cefc746abadb0364f1f3c345b5838becbf4153a27dad09331a3b1c3e12a8ab3aeb6fd770793441c17709cc0060e29c550cec89032a8037d2a539

Download Submit
C:\Arquivos de programas\acrobat32.exe

Filesize
2.9MB

MD5
d4c337ace1db41cb569e58c56afaaff9

SHA1
56200d1f747b6c796d155c67693b7590a3421d04

SHA256
5f4b0334444feaf7299fb1ee0d46c9f844733ea9d1ee14e7f79bd80fb461a795

SHA512
6c16de49d190c0797c8e7034774bd3db817212c26da68174cad501a3000f65207fa497ef7ef3d6bc1f28d01f03d2cfb1e0d5b11119bf4e1da68527fb78991260

Download Submit
memory/4012-12-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/4012-14-0x0000000000280000-0x0000000001532000-memory.dmp

Filesize
18.7MB

Download
memory/4012-16-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/4012-17-0x0000000000280000-0x0000000001532000-memory.dmp

Filesize
18.7MB

Download
memory/5112-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download