bruteratel | c536edebb7491226b30b81e732d34a2c5b44197c8f3d615f29da73711227f7d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 01:49

Target

bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe
Size

1.6MB
MD5

87393a8d5f9fd299a9d490f6db54d88e
SHA1

671a02684469c333481ec08ffee3af03ef7138d4
SHA256

bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3
SHA512

e7153ce3344cd3cb884da73f9894bd3544ffdcd8b47438c747de7783ea18098eef85c701b0bdbcff8cdc643a770464adf675d663e7a579779aee9109e1467ef1
SSDEEP

24576:yXqSiBXT4As7FLUc2nZpvs9EFw4fUOpeYLVlSG6QXwstNU:yXfQ3cT2ZpvYEeWUSLVDFwd

Score

10^/10

Family

bruteratel

192.168.100.208:443

Attributes

c2_auth
U440A82KTMKMI7JF
uri
/eyyo.ashm
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2472 created 3396	2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe	56

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe
2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe
4428	explorer.exe
4428	explorer.exe
4428	explorer.exe
4428	explorer.exe
4428	explorer.exe
4428	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4428	2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe	93
PID 2472 wrote to memory of 4428	2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe	93
PID 2472 wrote to memory of 4428	2472	bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe
  "C:\Users\Admin\AppData\Local\Temp\bbdbef17dbcf2630ae19138d0dbcd34818a9f9a1167a7e6654f857a87bfe4fa3.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:2472
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428

memory/2472-0-0x0000026552070000-0x0000026552071000-memory.dmp

Filesize
4KB

Download
memory/2472-9-0x0000026552070000-0x0000026552071000-memory.dmp

Filesize
4KB

Download
memory/2472-11-0x00007FF6F3300000-0x00007FF6F34AE000-memory.dmp

Filesize
1.7MB

Download
memory/4428-10-0x00000000004E0000-0x0000000000536000-memory.dmp

Filesize
344KB

Download
memory/4428-12-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Filesize
2.0MB

Download
memory/4428-18-0x00000000004E0000-0x0000000000536000-memory.dmp

Filesize
344KB

Download
memory/4428-16-0x00007FFDCEFF0000-0x00007FFDCF2B9000-memory.dmp

Filesize
2.8MB

Download
memory/4428-14-0x00007FFDD0750000-0x00007FFDD080E000-memory.dmp

Filesize
760KB

Download
memory/4428-27-0x00000000004E0000-0x0000000000536000-memory.dmp

Filesize
344KB

Download