Edit tour
Windows
Analysis Report
TiNgny4xSB.dll
Overview
General Information
| Sample name: | TiNgny4xSB.dllrenamed because original name is a hash value |
| Original sample name: | 1552c43ecf6eeb5e2fe13cc1c25e6bdacf227222afaa9a523d996b6331945505.exe |
| Analysis ID: | 1576561 |
| MD5: | e5ec8b7cf88c66f78d607f76a2095fda |
| SHA1: | fda7752c604ff7673ae31dc45a8f0a9dd0a3a6ac |
| SHA256: | 1552c43ecf6eeb5e2fe13cc1c25e6bdacf227222afaa9a523d996b6331945505 |
| Tags: | 94-232-40-41exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
BruteRatel
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Yara detected BruteRatel
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll64.exe (PID: 3128 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\TiN gny4xSB.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 3224 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6112 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\TiN gny4xSB.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 2576 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2836 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMAddNewDe sktop MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 7148 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 2 836 -s 464 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 6408 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMEnumDesk topInfos MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 5512 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 408 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4768 cmdline:
rundll32.e xe C:\User s\user\Des ktop\TiNgn y4xSB.dll, DMEnumDesk tops MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 2820 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 768 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 3148 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMAddNew Desktop MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4500 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMEnumDe sktopInfos MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5820 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",DMEnumDe sktops MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1988 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nviewExe cute MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2448 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewUnl oad MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4400 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewUni nstallNoti fy MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5240 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewLoa dHook MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6496 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",nViewCmd MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",WMSetSet tingHWND MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2020 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",WMParseS etting MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5632 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMUpdate MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6204 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMSetSta rtupProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6592 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMSave MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7176 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLock MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7184 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoadEx MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7192 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoadAp p MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7200 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMLoad MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7208 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMImport MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7216 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetSta rtupProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7224 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileInfoEx MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7236 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileInfo MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7244 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetPro fileDirect ory MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7252 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMGetCur rentProfil e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7264 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMFindPr ofile MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMEnum MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7292 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\TiNg ny4xSB.dll ",PMDelete MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Brute Ratel C4, BruteRatel | Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security | ||
| JoeSecurity_BruteRatel_1 | Yara detected BruteRatel | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||