bruteratel | c6c697d658dd221f27a8d58e79a478646877ac6afcf0cbe2ce919862f3889c6b

General

Target

mw_ArPotEx64.dll
Size

724KB
MD5

12d56ac4ed9cadb4f6f54c7bd7fdfeb6
SHA1

c3439bcb0ee6d1bda33ef15a3d1d040c331e77d5
SHA256

c6c697d658dd221f27a8d58e79a478646877ac6afcf0cbe2ce919862f3889c6b
SHA512

1a6737f4977b2a0e94498edda635cb09d1ea63ee0072fedec16f1227d99d602298e60d091fd958494b4a6b7730f8c11c670c1164ac57a8c7e7aeb98deb3390b0
SSDEEP

12288:+h/M5nsxW5fFcrGn7Q21Svj07MGpmeSM6C4LWYv1AoMVPPynuJskZVjSKUCWnkoD:+rr+VPPnJs3KUCWkC3r

Score

10^/10

bruteratel backdoor discovery

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/memory/1752-1-0x0000000000390000-0x00000000003CE000-memory.dmp	family_bruteratel

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1752	rundll32.exe
15	1752	rundll32.exe
17	1752	rundll32.exe
18	1752	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FAE21B69421271FD553621C9F439D62D53908EBB	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FAE21B69421271FD553621C9F439D62D53908EBB\Blob = 0f0000000100000020000000df2848ccff1103c4ced84d51be5043ec9137d026c263aaeaaa5214deb52669bf030000000100000014000000fae21b69421271fd553621c9f439d62d53908ebb2000000001000000f9020000308202f5308201dda003020102021022e8a4e8a292279e728922ff43926cbc300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b0c9ee8dfc6f89f46f5acf10434e37a6484d390601e3759d36d0fce6cfe7bcf1b3c459bc82f7e084618e9beb37103d33597439368640c9b632b2143581310f9eba2ddce32e20b11aeae2c92db2aa549259e72229cc097acd4c639099bdd2a838b804caf472f0a62d047f687aa9a38a75eda30912b84f2b4b0c82cb1209b9df6ecd1550cf2f3a5cbf5b82b104621aabf4f99670150de531d4b6022ac7860beae3ee429ce2127382b29d52f1c9de7792371d215254486470e600d98ca2219144c55b507f9d16bafaa370a216e117a150e9530a781d4652f6fe72711728c1af672fc33078579b1e415070ed4014daf18b3537cf3755c02467be264f0e20d6d24c910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b31e9fb9c32d99753ed1442a9ee8675a09d17c12300d06092a864886f70d01010b050003820101002804aa70575d3902562aedb6027a36f36e8546686878b9800fd6f632d3a4db4c4fe4582330bb3dcbaf7c53af41e569bee0631d0329a76d1f60c75317e92da7c815982b97fcd6f5378b1dfeb34577d7958a4771d9f6732deaff4a7f2c4ce2bc83195fa752d026df8014215c6b818ff278a919271158592f644edcb7dca011c29226e185b5d4963ccafa460fc9c71226ab32ba5c27295ad62228e9b2ff4b75d334699bcd0798dff64f8110db31de8f0209959eb37d9faeef3ea106fa9ae5a162a3340696bfe80364b85dea94cc33eb849a54d6198d95f4631599ac25447ebfa3b6eccb04ffd1f983c79ac0eaf021747bf9b0c41e71205008b5bd1de12bf78179e0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FAE21B69421271FD553621C9F439D62D53908EBB\Blob = 140000000100000014000000b31e9fb9c32d99753ed1442a9ee8675a09d17c12030000000100000014000000fae21b69421271fd553621c9f439d62d53908ebb0f0000000100000020000000df2848ccff1103c4ced84d51be5043ec9137d026c263aaeaaa5214deb52669bf2000000001000000f9020000308202f5308201dda003020102021022e8a4e8a292279e728922ff43926cbc300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b0c9ee8dfc6f89f46f5acf10434e37a6484d390601e3759d36d0fce6cfe7bcf1b3c459bc82f7e084618e9beb37103d33597439368640c9b632b2143581310f9eba2ddce32e20b11aeae2c92db2aa549259e72229cc097acd4c639099bdd2a838b804caf472f0a62d047f687aa9a38a75eda30912b84f2b4b0c82cb1209b9df6ecd1550cf2f3a5cbf5b82b104621aabf4f99670150de531d4b6022ac7860beae3ee429ce2127382b29d52f1c9de7792371d215254486470e600d98ca2219144c55b507f9d16bafaa370a216e117a150e9530a781d4652f6fe72711728c1af672fc33078579b1e415070ed4014daf18b3537cf3755c02467be264f0e20d6d24c910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b31e9fb9c32d99753ed1442a9ee8675a09d17c12300d06092a864886f70d01010b050003820101002804aa70575d3902562aedb6027a36f36e8546686878b9800fd6f632d3a4db4c4fe4582330bb3dcbaf7c53af41e569bee0631d0329a76d1f60c75317e92da7c815982b97fcd6f5378b1dfeb34577d7958a4771d9f6732deaff4a7f2c4ce2bc83195fa752d026df8014215c6b818ff278a919271158592f644edcb7dca011c29226e185b5d4963ccafa460fc9c71226ab32ba5c27295ad62228e9b2ff4b75d334699bcd0798dff64f8110db31de8f0209959eb37d9faeef3ea106fa9ae5a162a3340696bfe80364b85dea94cc33eb849a54d6198d95f4631599ac25447ebfa3b6eccb04ffd1f983c79ac0eaf021747bf9b0c41e71205008b5bd1de12bf78179e0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FAE21B69421271FD553621C9F439D62D53908EBB\Blob = 0400000001000000100000000c47311a5ff3ca97c87a593bd67d7a2b0f0000000100000020000000df2848ccff1103c4ced84d51be5043ec9137d026c263aaeaaa5214deb52669bf030000000100000014000000fae21b69421271fd553621c9f439d62d53908ebb140000000100000014000000b31e9fb9c32d99753ed1442a9ee8675a09d17c122000000001000000f9020000308202f5308201dda003020102021022e8a4e8a292279e728922ff43926cbc300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b0c9ee8dfc6f89f46f5acf10434e37a6484d390601e3759d36d0fce6cfe7bcf1b3c459bc82f7e084618e9beb37103d33597439368640c9b632b2143581310f9eba2ddce32e20b11aeae2c92db2aa549259e72229cc097acd4c639099bdd2a838b804caf472f0a62d047f687aa9a38a75eda30912b84f2b4b0c82cb1209b9df6ecd1550cf2f3a5cbf5b82b104621aabf4f99670150de531d4b6022ac7860beae3ee429ce2127382b29d52f1c9de7792371d215254486470e600d98ca2219144c55b507f9d16bafaa370a216e117a150e9530a781d4652f6fe72711728c1af672fc33078579b1e415070ed4014daf18b3537cf3755c02467be264f0e20d6d24c910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b31e9fb9c32d99753ed1442a9ee8675a09d17c12300d06092a864886f70d01010b050003820101002804aa70575d3902562aedb6027a36f36e8546686878b9800fd6f632d3a4db4c4fe4582330bb3dcbaf7c53af41e569bee0631d0329a76d1f60c75317e92da7c815982b97fcd6f5378b1dfeb34577d7958a4771d9f6732deaff4a7f2c4ce2bc83195fa752d026df8014215c6b818ff278a919271158592f644edcb7dca011c29226e185b5d4963ccafa460fc9c71226ab32ba5c27295ad62228e9b2ff4b75d334699bcd0798dff64f8110db31de8f0209959eb37d9faeef3ea106fa9ae5a162a3340696bfe80364b85dea94cc33eb849a54d6198d95f4631599ac25447ebfa3b6eccb04ffd1f983c79ac0eaf021747bf9b0c41e71205008b5bd1de12bf78179e0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FAE21B69421271FD553621C9F439D62D53908EBB\Blob = 190000000100000010000000ca6d44558874a1fb1648a3eb25d14320140000000100000014000000b31e9fb9c32d99753ed1442a9ee8675a09d17c12030000000100000014000000fae21b69421271fd553621c9f439d62d53908ebb0f0000000100000020000000df2848ccff1103c4ced84d51be5043ec9137d026c263aaeaaa5214deb52669bf0400000001000000100000000c47311a5ff3ca97c87a593bd67d7a2b2000000001000000f9020000308202f5308201dda003020102021022e8a4e8a292279e728922ff43926cbc300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b0c9ee8dfc6f89f46f5acf10434e37a6484d390601e3759d36d0fce6cfe7bcf1b3c459bc82f7e084618e9beb37103d33597439368640c9b632b2143581310f9eba2ddce32e20b11aeae2c92db2aa549259e72229cc097acd4c639099bdd2a838b804caf472f0a62d047f687aa9a38a75eda30912b84f2b4b0c82cb1209b9df6ecd1550cf2f3a5cbf5b82b104621aabf4f99670150de531d4b6022ac7860beae3ee429ce2127382b29d52f1c9de7792371d215254486470e600d98ca2219144c55b507f9d16bafaa370a216e117a150e9530a781d4652f6fe72711728c1af672fc33078579b1e415070ed4014daf18b3537cf3755c02467be264f0e20d6d24c910203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b31e9fb9c32d99753ed1442a9ee8675a09d17c12300d06092a864886f70d01010b050003820101002804aa70575d3902562aedb6027a36f36e8546686878b9800fd6f632d3a4db4c4fe4582330bb3dcbaf7c53af41e569bee0631d0329a76d1f60c75317e92da7c815982b97fcd6f5378b1dfeb34577d7958a4771d9f6732deaff4a7f2c4ce2bc83195fa752d026df8014215c6b818ff278a919271158592f644edcb7dca011c29226e185b5d4963ccafa460fc9c71226ab32ba5c27295ad62228e9b2ff4b75d334699bcd0798dff64f8110db31de8f0209959eb37d9faeef3ea106fa9ae5a162a3340696bfe80364b85dea94cc33eb849a54d6198d95f4631599ac25447ebfa3b6eccb04ffd1f983c79ac0eaf021747bf9b0c41e71205008b5bd1de12bf78179e0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	rundll32.exe
1752	rundll32.exe
1752	rundll32.exe
1752	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 1752	708	rundll32.exe	30
PID 708 wrote to memory of 1752	708	rundll32.exe	30
PID 708 wrote to memory of 1752	708	rundll32.exe	30
PID 708 wrote to memory of 1752	708	rundll32.exe	30

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\mw_ArPotEx64.dll,AXA
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\system32\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\mw_ArPotEx64.dll,AXA
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-0-0x0000000000390000-0x00000000003CE000-memory.dmp

Filesize
248KB

Download
memory/1752-1-0x0000000000390000-0x00000000003CE000-memory.dmp

Filesize
248KB

Download
memory/1752-2-0x0000000001D60000-0x0000000001DAC000-memory.dmp

Filesize
304KB

Download
memory/1752-18-0x0000000001D60000-0x0000000001DAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing