SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brute_ratel_c4 (Back to overview)

Brute Ratel C4


There is no description at this point.

References
2022-10-12Twitter (@embee_research)Embee_research, Huntress Labs
@online{embeeresearch:20221012:tweets:3284cd3, author = {Embee_research and Huntress Labs}, title = {{Tweets on detection of Brute Ratel via API Hashes}}, date = {2022-10-12}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA}, language = {English}, urldate = {2022-11-21} } Tweets on detection of Brute Ratel via API Hashes
Brute Ratel C4
2022-10-04splunkSplunk Threat Research Team
@online{team:20221004:deliver:dba14df, author = {Splunk Threat Research Team}, title = {{Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis}}, date = {2022-10-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html}, language = {English}, urldate = {2022-10-06} } Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
Brute Ratel C4
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03MDSecDominic Chell
@online{chell:20220803:part:3f8002b, author = {Dominic Chell}, title = {{PART 3: How I Met Your Beacon – Brute Ratel}}, date = {2022-08-03}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/}, language = {English}, urldate = {2022-10-06} } PART 3: How I Met Your Beacon – Brute Ratel
Brute Ratel C4
2022-07-09spookysecRonnie
@online{ronnie:20220709:analyzing:b124529, author = {Ronnie}, title = {{Analyzing a Brute Ratel Badger}}, date = {2022-07-09}, organization = {spookysec}, url = {https://blog.spookysec.net/analyzing-brc4-badgers/}, language = {English}, urldate = {2022-10-06} } Analyzing a Brute Ratel Badger
Brute Ratel C4
2022-07-07SOCRadarSOCRadar
@online{socradar:20220707:brute:fd80023, author = {SOCRadar}, title = {{Brute Ratel Utilized By Threat Actors In New Ransomware Operations}}, date = {2022-07-07}, organization = {SOCRadar}, url = {https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/}, language = {English}, urldate = {2022-10-19} } Brute Ratel Utilized By Threat Actors In New Ransomware Operations
Brute Ratel C4
2022-07-05Mike Harbison
@online{harbison:20220705:when:7a1f44b, author = {Mike Harbison}, title = {{When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors}}, date = {2022-07-05}, url = {https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/}, language = {English}, urldate = {2022-07-13} } When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Brute Ratel C4
Yara Rules
[TLP:WHITE] win_brute_ratel_c4_w0 (20221012 | No description)
rule win_brute_ratel_c4_w0 {
	//Looks for API hashes present in Brute Ratel Badger Payloads. 
	meta:
		author = "Embee_Research @ Huntress"
		vendor = "Huntress"
		created = "2022/10/12"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/BruteSyscalls.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		$hash1 = {89 4d 39 8c} //NtProtectVirtualMemory
		$hash2 = {bd ca 3b d3} //NtAllocateVirtualMemory
		$hash3 = {b2 c1 06 ae} //NtWaitForSingleObject
		$hash4 = {74 eb 1d 4d} //NtCreateThreadEx
	
	condition:
		//0x5a4d == regular pe/dll
		//0x00e8 == start of Brute shellcode 
		(2 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8)
}
Download all Yara Rules