bruteratel | 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184

Resubmissions

20-11-2024 06:32

241120-har44axpcr 10

19-11-2024 20:25

241119-y69xsasala 10

Analysis

max time kernel
283s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqx.dll
Size

1.3MB
MD5

dd862590d9e4ea1791df147912ae4c8f
SHA1

852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256

14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA512

3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568
SSDEEP

24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+

Score

10^/10

bruteratel latrodectus backdoor loader

Malware Config

Extracted

Family

latrodectus

https://bestmarsgood.com/test/

https://cerwintifed.com/test/

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1472-0-0x00000160472F0000-0x000001604732E000-memory.dmp	family_bruteratel

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4.

Processes:

resource	yara_rule
behavioral1/memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp	Latrodectus14
behavioral1/memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp	Latrodectus14
behavioral1/memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp	Latrodectus14

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

flow	pid	process
16	1472	rundll32.exe
18	1472	rundll32.exe
20	1472	rundll32.exe
25	1472	rundll32.exe
49	1472	rundll32.exe
58	1472	rundll32.exe
59	1472	rundll32.exe
66	1472	rundll32.exe
67	1472	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 3496 Explorer.EXE
Token: SeCreatePagefilePrivilege 3496 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3496 Explorer.EXE
Suspicious use of WriteProcessMemory 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1472 wrote to memory of 3496 1472 rundll32.exe Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE

pid	process
3496	Explorer.EXE

description	pid	process	target process
PID 1472 wrote to memory of 3496	1472	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3496
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-0-0x00000160472F0000-0x000001604732E000-memory.dmp

Filesize
248KB

Download
memory/1472-1-0x0000016047330000-0x000001604737C000-memory.dmp

Filesize
304KB

Download
memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp

Filesize
84KB

Download
memory/1472-22-0x00007FF4DE270000-0x00007FF4DE271000-memory.dmp

Filesize
4KB

Download
memory/1472-24-0x00007FF4DE250000-0x00007FF4DE251000-memory.dmp

Filesize
4KB

Download
memory/1472-23-0x00007FF4DE260000-0x00007FF4DE261000-memory.dmp

Filesize
4KB

Download
memory/1472-21-0x00007FF4DE280000-0x00007FF4DE281000-memory.dmp

Filesize
4KB

Download
memory/1472-19-0x00007FF4DE2B0000-0x00007FF4DE2B1000-memory.dmp

Filesize
4KB

Download
memory/1472-29-0x0000016047330000-0x000001604737C000-memory.dmp

Filesize
304KB

Download
memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp

Filesize
84KB

Download
memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp

Filesize
84KB

Download