MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BruteRatel


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58
SHA3-384 hash: 6f1db0b4cad0e3df060079a5322389d0c5d71b0fd10eedc31350f30fa32e6da5c2e9679a1231ac5aef522c5ee8dd64b3
SHA1 hash: bad9ecd9c3d24a1a730822fbebddad2c9648f990
MD5 hash: b9e3d614a2764904c1da6f3071470d06
humanhash: leopard-four-johnny-five
File name:bruteratelx64.dll
Download: download sample
Signature BruteRatel
Create hunting rule
File size:247'872 bytes
First seen:2025-04-30 16:39:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00eb539293304c62a55a0a3a9463ce6b (2 x BruteRatel)
ssdeep 3072:dx5adDpkX3BumBr1F8WLBXIZ4mvrr4tUJR699vxcv7IH:v5aVpmBu/6mjro9cv7G
Threatray 98 similar samples on MalwareBazaar
TLSH T155347212F36368EDD97AC1B047AFA233BB31B84D55747E2E5720CB552F10E21A66DB08
TrID 38.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter cedricgmirror2
Tags:BruteRatel exe


Avatar
cedricgmirror2
A modified version that only connects to local IP 192.168.30.46 for test purposes

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bruteratelx64.dll
Verdict:
No threats detected
Analysis date:
2025-04-30 16:42:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/486232f2-8114-4991-9500-353225db4fc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BruteRatel
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5241/
Detection(s):
SecuriteInfo.com.Generic.Brutel.Marte.K.DD67ADD6.29182.7453.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681255a2cc5fb3600cc54a1d
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/68125266212716475fb17c6e/reports/f5e63165-e4e4-4e46-998b-1c3d3a73b5b1/overview
Verdict:
Malicious
Labled as:
Brutel.Marte.K.Generic
Link:
https://www.hybrid-analysis.com/sample/dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/847df53d-cb16-4686-b788-efb7618870f9
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1678270
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1678270 Sample: bruteratelx64.dll.exe Startdate: 30/04/2025 Architecture: WINDOWS Score: 48 20 Multi AV Scanner detection for submitted file 2->20 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 WerFault.exe 27 17 8->12         started        14 conhost.exe 8->14         started        process5 16 rundll32.exe 10->16         started        process6 18 WerFault.exe 40 18 16->18         started       
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58/
Threat name:
Win64.Trojan.BrutelMarte
Create hunting rule
Status:
Malicious
First seen:
2025-04-30 16:40:12 UTC
File Type:
PE+ (Dll)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pa34pdrssskc6oea4zgheou4ihslgasb75zdlqndl4ws7bozjma._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
0f23855e56eb6ec760717be43280eeeeaec1aeef939f9ae6a41daf1b8e3bd306
BruteRatel
a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727
BruteRatel
a8a494eafd9b63902a549c9d239d1011fe9f636a6822c331d7d6543b35d2f60c
BruteRatel
d8080b4f7a238f28435649f74fdd5679f7f7133ea81d12d9f10b05017b0897b1
BruteRatel
dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58
BruteRatel
error
BruteRatel
f2170f7dc2f97434ef4514ed4272dc8792177038a085f248ba33f9259720afda
BruteRatel
+ 88 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250430-t6k67scj8t/
Verdict:
Malicious
Tags:
red_team_tool brute_ratel
YARA:
HKTL_EXE_Brute_Ratel_July_09
Link:
https://app.threat.zone/submission/4a0bf111-24b8-4848-a924-8a2ea12d9aed
Unpacked files
SH256 hash:
dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58
MD5 hash:
b9e3d614a2764904c1da6f3071470d06
SHA1 hash:
bad9ecd9c3d24a1a730822fbebddad2c9648f990
Link:
https://www.unpac.me/results/287a80ff-0704-4111-87f0-c31be5e49364/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbc1be3c7194a4a179c407326391d4e20f2598120ffb91ae0d1af9697c2eca58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteRatel
Create hunting rule
Author:kevoreilly
Description:BruteRatel Payload
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_BruteRatel_5b12cbab
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://cedricg-mirror.github.io/2025/04/30/BruteRatelTestFrameWork.html
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/5241/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FreeConsole

Comments