SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brute_ratel_c4 (Back to overview)

Brute Ratel C4

There is no description at this point.

References
2023-03-06ProtectedMo.deBoymoder RE
@online{re:20230306:brute:ad7d790, author = {Boymoder RE}, title = {{Brute Ratel - Scandinavian Defence}}, date = {2023-03-06}, organization = {ProtectedMo.de}, url = {https://protectedmo.de/brute.html}, language = {English}, urldate = {2023-03-20} } Brute Ratel - Scandinavian Defence
Brute Ratel C4
2023-02-15YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20230215:hunting:eb09f70, author = {Luigi Martire and Carmelo Ragusa}, title = {{Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel}}, date = {2023-02-15}, organization = {Yoroi}, url = {https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/}, language = {English}, urldate = {2023-02-16} } Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Brute Ratel C4
2023-01-29Dark VortexParanoid Ninja
@online{ninja:20230129:hiding:1b59393, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks}}, date = {2023-01-29}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/hiding-in-plainsight/}, language = {English}, urldate = {2023-02-21} } Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
Brute Ratel C4
2023-01-26Dark VortexParanoid Ninja
@online{ninja:20230126:hiding:3ea1a8c, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing}}, date = {2023-01-26}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/}, language = {English}, urldate = {2023-02-21} } Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
Brute Ratel C4
2022-10-25Medium walmartglobaltechJason Reaves
@online{reaves:20221025:brute:3e3f821, author = {Jason Reaves}, title = {{Brute Ratel Config Decoding update}}, date = {2022-10-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb}, language = {English}, urldate = {2023-01-31} } Brute Ratel Config Decoding update
Brute Ratel C4
2022-10-12Twitter (@embee_research)Embee_research, Huntress Labs
@online{embeeresearch:20221012:tweets:3284cd3, author = {Embee_research and Huntress Labs}, title = {{Tweets on detection of Brute Ratel via API Hashes}}, date = {2022-10-12}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA}, language = {English}, urldate = {2022-11-21} } Tweets on detection of Brute Ratel via API Hashes
Brute Ratel C4
2022-10-04splunkSplunk Threat Research Team
@online{team:20221004:deliver:dba14df, author = {Splunk Threat Research Team}, title = {{Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis}}, date = {2022-10-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html}, language = {English}, urldate = {2022-10-06} } Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
Brute Ratel C4
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03MDSecDominic Chell
@online{chell:20220803:part:3f8002b, author = {Dominic Chell}, title = {{PART 3: How I Met Your Beacon – Brute Ratel}}, date = {2022-08-03}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/}, language = {English}, urldate = {2022-10-06} } PART 3: How I Met Your Beacon – Brute Ratel
Brute Ratel C4
2022-07-09spookysecRonnie
@online{ronnie:20220709:analyzing:b124529, author = {Ronnie}, title = {{Analyzing a Brute Ratel Badger}}, date = {2022-07-09}, organization = {spookysec}, url = {https://blog.spookysec.net/analyzing-brc4-badgers/}, language = {English}, urldate = {2022-10-06} } Analyzing a Brute Ratel Badger
Brute Ratel C4
2022-07-07SOCRadarSOCRadar
@online{socradar:20220707:brute:fd80023, author = {SOCRadar}, title = {{Brute Ratel Utilized By Threat Actors In New Ransomware Operations}}, date = {2022-07-07}, organization = {SOCRadar}, url = {https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/}, language = {English}, urldate = {2022-10-19} } Brute Ratel Utilized By Threat Actors In New Ransomware Operations
Brute Ratel C4
2022-07-06YouTube (IppSec)IppSec
@online{ippsec:20220706:reversing:542aecd, author = {IppSec}, title = {{Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?}}, date = {2022-07-06}, organization = {YouTube (IppSec)}, url = {https://www.youtube.com/watch?v=a7W6rhkpVSM}, language = {English}, urldate = {2023-03-24} } Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?
Brute Ratel C4
2022-07-05Mike Harbison
@online{harbison:20220705:when:7a1f44b, author = {Mike Harbison}, title = {{When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors}}, date = {2022-07-05}, url = {https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/}, language = {English}, urldate = {2022-07-13} } When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Brute Ratel C4
Yara Rules
[TLP:WHITE] win_brute_ratel_c4_w0 (20221012 | No description)
rule win_brute_ratel_c4_w0 {
	//Looks for API hashes present in Brute Ratel Badger Payloads. 
	meta:
		author = "Embee_Research @ Huntress"
		vendor = "Huntress"
		created = "2022/10/12"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/BruteSyscalls.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		$hash1 = {89 4d 39 8c} //NtProtectVirtualMemory
		$hash2 = {bd ca 3b d3} //NtAllocateVirtualMemory
		$hash3 = {b2 c1 06 ae} //NtWaitForSingleObject
		$hash4 = {74 eb 1d 4d} //NtCreateThreadEx
	
	condition:
		//0x5a4d == regular pe/dll
		//0x00e8 == start of Brute shellcode 
		(2 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8)
}
Download all Yara Rules