bruteratel | 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184

Resubmissions

30-11-2024 00:13

241130-ahvwystmfv 10

29-11-2024 21:13

27-11-2024 19:30

27-11-2024 19:27

26-11-2024 23:43

Analysis

max time kernel
34s
max time network
35s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqx.dll
Size

1.3MB
MD5

dd862590d9e4ea1791df147912ae4c8f
SHA1

852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256

14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA512

3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568
SSDEEP

24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+

Score

10^/10

bruteratel latrodectus backdoor loader

Malware Config

Extracted

Family

latrodectus

https://reateberam.com/test/

https://dogirafer.com/test/

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-0-0x00000000001B0000-0x00000000001EE000-memory.dmp	family_bruteratel

Detects Latrodectus 4 IoCs

Detects Latrodectus v1.4.

Processes:

resource	yara_rule
behavioral1/memory/2364-29-0x000007FFFFF70000-0x000007FFFFF85000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1200-37-0x00000000025B0000-0x00000000025C5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1200-36-0x00000000025B0000-0x00000000025C5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/1200-38-0x00000000025B0000-0x00000000025C5000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow	pid	Process
4	2364	rundll32.exe
6	2364	rundll32.exe
8	2364	rundll32.exe
11	2364	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid	Process
2364	rundll32.exe

Suspicious use of WriteProcessMemory 1 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2364 wrote to memory of 1200	2364	rundll32.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-34-0x00000000025B0000-0x00000000025C5000-memory.dmp

Filesize
84KB

Download
memory/1200-37-0x00000000025B0000-0x00000000025C5000-memory.dmp

Filesize
84KB

Download
memory/1200-36-0x00000000025B0000-0x00000000025C5000-memory.dmp

Filesize
84KB

Download
memory/1200-38-0x00000000025B0000-0x00000000025C5000-memory.dmp

Filesize
84KB

Download
memory/2364-0-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2364-1-0x0000000001D40000-0x0000000001D8C000-memory.dmp

Filesize
304KB

Download
memory/2364-28-0x000007FFFFF90000-0x000007FFFFF91000-memory.dmp

Filesize
4KB

Download
memory/2364-32-0x000007FFFFF40000-0x000007FFFFF41000-memory.dmp

Filesize
4KB

Download
memory/2364-33-0x000007FFFFF30000-0x000007FFFFF31000-memory.dmp

Filesize
4KB

Download
memory/2364-31-0x000007FFFFF50000-0x000007FFFFF51000-memory.dmp

Filesize
4KB

Download
memory/2364-30-0x000007FFFFF60000-0x000007FFFFF61000-memory.dmp

Filesize
4KB

Download
memory/2364-29-0x000007FFFFF70000-0x000007FFFFF85000-memory.dmp

Filesize
84KB

Download