Edit tour
Windows
Analysis Report
TiNgny4xSB.dll
Overview
General Information
| Sample name: | TiNgny4xSB.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
| Original sample name: | 1552c43ecf6eeb5e2fe13cc1c25e6bdacf227222afaa9a523d996b6331945505.exe |
| Analysis ID: | 1576561 |
| MD5: | e5ec8b7cf88c66f78d607f76a2095fda |
| SHA1: | fda7752c604ff7673ae31dc45a8f0a9dd0a3a6ac |
| SHA256: | 1552c43ecf6eeb5e2fe13cc1c25e6bdacf227222afaa9a523d996b6331945505 |
| Tags: | 94-232-40-41exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
BruteRatel
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Yara detected BruteRatel
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll64.exe (PID: 2124 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\TiN gny4xSB.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 5252 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1284 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\TiN gny4xSB.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 4940 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4248 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMAddNewDe sktop MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 4228 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 4 248 -s 496 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 2492 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMEnumDesk topInfos MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 4092 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 492 -s 492 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7208 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMEnumDesk tops MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7248 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 208 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7336 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMAddNew Desktop MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7344 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMEnumDe sktopInfos MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7360 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMEnumDe sktops MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7380 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nviewExe cute MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7388 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewUnl oad MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7396 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewUni nstallNoti fy MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7404 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewLoa dHook MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7412 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewCmd MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7420 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",WMSetSet tingHWND MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7428 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",WMParseS etting MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7436 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMUpdate MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7444 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMSetSta rtupProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7452 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMSave MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7460 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLock MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7468 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoadEx MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7476 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoadAp p MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7488 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoad MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7500 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMImport MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7556 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetSta rtupProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7564 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileInfoEx MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7572 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileInfo MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7580 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileDirect ory MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7588 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetCur rentProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7596 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMFindPr ofile MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7604 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMEnum MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7612 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMDelete MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7620 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",NViewUse rInterface Setting MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7628 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",NViewGlo balSetting MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Brute Ratel C4, BruteRatel | Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | Binary string: | ||