MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BruteRatel


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2
SHA3-384 hash: 1a54a8a733ee5229b2cc3599c738b2a4036f67c7b7c6e44a3227a56cacb393be28290dfb3b776a536238dc44f1541cf0
SHA1 hash: 644e5adb482709f313796f3ab16f247f0bce1c9c
MD5 hash: ae544fbeea5fa73ded6f7560afd44790
humanhash: river-fillet-uniform-cup
File name:83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2
Download: download sample
Signature BruteRatel
Create hunting rule
File size:3'076'480 bytes
First seen:2025-03-14 15:16:26 UTC
Last seen:2025-03-19 07:09:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8cd988b4e0d4921a3fb35b40a7552ea (2 x BruteRatel)
ssdeep 49152:BGIdGbhz/MPFF/6R6MkFjfnm4pzW3GhvRBDsVYArO/0/zoIIdxuS2zPNTQmh5bkp:BlZJqrbzoIIyS5mh5bkOEk1q
TLSH T15CE58D2B66F840B6CCAAE174C5178B4BD7F278411A74C38F4161479F9FBB3620D6A326
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter JAMESWT_WT
Tags:BruteRatel exe horetimodual-com LLC LOFT signed

Code Signing Certificate

Organisation:LLC LOFT
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2024-06-06T06:09:53Z
Valid to:2025-06-07T06:09:53Z
Serial number: 36d6440198edac10747598cd
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 2843ca743a722a0666059e4e30612bb027a4a2d0fb2d9cf806652f278ba708fa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
501
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2.exe
Verdict:
No threats detected
Analysis date:
2025-03-14 15:24:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/96b7cd98-7f77-4036-843e-105360d0e6a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d4692a08116ce42571303c
Tags:
ransomware shellcode emotet virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context explorer fingerprint keylogger lolbin microsoft_visual_cc packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67d4488101edd28374aff0b6/reports/385b23e7-f2f1-4f11-8168-a88aa3e074a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BruteRatelC4
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/020078ff-c0a6-4c34-922c-cc0984834bf0
Result
Threat name:
BruteRatel
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638706
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected BruteRatel
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638706 Sample: NRFdnNy9hS.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 24 domskufidona.com 2->24 26 dimidroli.com 2->26 32 Suricata IDS alerts for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 2 other signatures 2->38 8 loaddll64.exe 13 2->8         started        signatures3 process4 signatures5 48 Contains functionality to inject threads in other processes 8->48 50 Injects code into the Windows Explorer (explorer.exe) 8->50 52 Sets debug register (to hijack the execution of another thread) 8->52 54 6 other signatures 8->54 11 rundll32.exe 12 8->11         started        15 rundll32.exe 8->15         started        17 cmd.exe 1 8->17         started        19 31 other processes 8->19 process6 dnsIp7 28 domskufidona.com 108.181.182.132, 3355, 49730, 49731 ASN852CA Canada 11->28 56 Contains functionality to inject threads in other processes 11->56 58 Injects code into the Windows Explorer (explorer.exe) 11->58 60 Writes to foreign memory regions 11->60 62 System process connects to network (likely due to code injection or exploit) 15->62 64 Allocates memory in foreign processes 15->64 66 Modifies the context of a thread in another process (thread injection) 15->66 21 rundll32.exe 12 17->21         started        30 dimidroli.com 194.76.227.108, 3355, 49732, 49737 SERVINGADE Germany 19->30 68 Creates a thread in another existing process (thread injection) 19->68 70 Injects a PE file into a foreign processes 19->70 signatures8 process9 signatures10 40 Injects code into the Windows Explorer (explorer.exe) 21->40 42 Writes to foreign memory regions 21->42 44 Allocates memory in foreign processes 21->44 46 3 other signatures 21->46
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-14 09:02:05 UTC
File Type:
PE+ (Dll)
Extracted files:
74
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qoczvtpuvqrje75ir5yvmztfhadvahnw6gdfunsxlgnuyxitboza._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
error
BruteRatel
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:bruteratel family:latrodectus backdoor loader
Link:
https://tria.ge/reports/250314-sn34mattbv/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Brute Ratel C4
Bruteratel family
Detect BruteRatel badger
Detects Latrodectus
Latrodectus family
Latrodectus loader
Malware Config
C2 Extraction:
https://horetimodual.com/test/
https://forefilarem.com/test/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d8ab0832-f550-48ad-8d6a-44beb8319515
Unpacked files
SH256 hash:
83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2
MD5 hash:
ae544fbeea5fa73ded6f7560afd44790
SHA1 hash:
644e5adb482709f313796f3ab16f247f0bce1c9c
Link:
https://www.unpac.me/results/d3326ca8-868a-4576-8cb0-db95f89b71d6/
Malware family:
BruteRatel
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83859acdf4ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83859acdf4ac22927fa88f715666653807501db6f1865a3657599b4c5d130bb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteRatel
Create hunting rule
Author:kevoreilly
Description:BruteRatel Payload
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_BruteRatel_4110d879
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_BruteRatel_5b12cbab
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_BruteRatel_644ac114
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_APICan Play MultimediaWINMM.dll::PlaySoundW
GDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
SHLWAPI.dll::PathRemoveFileSpecW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
ole32.dll::OleCreateMenuDescriptor
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW

Comments